A new wave of attacks has put in the center of the stage to SAP NetWeaverthanks to a critical vulnerability known as CVE‑2025‑31324. This failure, which allows attackers to take control of systems without authenticating, has been actively exploited to install malware Auto‑Colorin this case against a chemical company in the us. The discovery was made by the firm Darktrace during an investigation in April, 2025.
SAP released a patch in April, but the attackers were exploiting the bug, at least since march, even before it was made public the vulnerability. “Auto‑Colour as it exploits CVE‑2025‑31324” it's not just a headline: it's a really active in multiple sectors, from universities to industrial environments, and government.
What does Auto‑Color and why worry so much?
Auto‑Color is a malware to Linux systems that stands out for its camouflage capability, and persistence. Once it infects a system:
- It adapts according to the permissions of the user, to avoid raising suspicion.
- You can run commands remotely, to extract data and to establish full control of the affected computer.
- If it detects that it is in a controlled environment (such as a laboratory), it behaves as if it were harmless, hindering their detection and study.
- Includes advanced techniques to hide and stay active even after reboots.
The combination of these characteristics make it particularly dangerous, and the fact that it exploits CVE‑2025‑31324 in SAP NetWeaver makes him a real threat to enterprise environments.
Route of entry and chronology
- The weak point is on a component of SAP NetWeaver which allows attackers to upload malicious files without being authenticated.
- Have been documented cases of active exploitation since march, before the SAP launch of the patch, which indicates use as zero-day.
- From the end of April, companies cyber security have confirmed that attacks concrete where you combine this vulnerability with the installation of Self‑Color.
Groups linked to state interests and chinese operators of ransomware are already using this pathway to engage targets in multiple sectors.
What this means for your business
If your organization uses SAP NetWeaver and you have not applied updates, there is a high risk of compromise quiet. Auto‑Color is hard to detect, it hides well and can go for weeks without being discovered. The exposure window is open, and the exploit is already circulating actively.
Historical context
This is not an isolated case. SAP has historically been an attractive target for actors of threats because of their critical role in business operations. Vulnerabilities earlier in NetWeaver, as RECON (CVE‑2020‑6287), had already been exploited by state and criminals for the purposes of espionage and sabotage.
Auto‑Colorfor his part, was documented for the first time at the beginning of 2025 affecting universities and governments, and has evolved rapidly in sophistication. Your current deployments marks a convergence dangerous between critical vulnerabilities in enterprise systems and malware high evasion, showing how attackers prioritize access quiet and persistent key infrastructures.
How you can help Amber Solutions?
At Amber Solutionswe can help you to prevent this kind of scenarios before they occur or to respond quickly if there is already an intrusion:
- Analysis of vulnerabilities and pentesting specialized in SAP: we evaluate whether the client is exposed to vulnerabilities such as, in this case, CVE‑2025‑31324.
- Cyber Threat Intelligence: we identified active campaigns as they use Auto‑Color and give you visibility of what TTPs are in the game.
- Incident response and forensic analysis: in case of infection, we can act fast to contain, investigate, and remove the threat.
- Simulations Network Team: to anticipate how an attacker could exploit flaws similar within a real environment.
Best not to let it go: Self‑Color, since it exploits CVE‑2025‑31324, and that should be enough to review the security posture of the company. Amber Solutions help you manage this vulnerability and others before they take advantage of this. Get in touch with us and take the next step towards a strong advocacy.
