SAP NetWeaver vulnerability exploitation

A recent cyberattack on a US-based chemicals company has highlighted the first known instance of exploiting a vulnerability in SAP NetWeaver to deploy Auto-Color malware. This sophisticated attack, detected by cybersecurity firm Darktrace in April 2025, utilized CVE-2025-31324, a critical vulnerability that allows file uploads to SAP NetWeaver application servers, potentially leading to remote code execution.

SAP NetWeaver vulnerability exploitationSAP NetWeaver vulnerability exploitation

Key Takeaways

  • CVE-2025-31324: Exploited to deploy Auto-Color malware.
  • Auto-Color: Utilizes Linux manipulation and adaptive evasion techniques.
  • Darktrace: Prevented malware activation and command-and-control (C2) communication.
SAP NetWeaver vulnerability exploitationSAP NetWeaver vulnerability exploitation

Attack Details
The attack began with reconnaissance activities on April 25, 2025, using specific URIs to identify the vulnerability. The initial compromise occurred via a ZIP file downloaded from a malicious IP address, accompanied by DNS tunneling requests to OAST domains. Attackers executed a shell script through a helper.jsp file, establishing connections to C2 infrastructure linked to China-affiliated threat groups.