CVE-2026-0500

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0012 31.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on…

the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the vulnerability in the third-party component of SAP Wily Introscope by requiring identification, reporting, and patching as specified in SAP Note 3668679.

SC-18 Mobile Code good match

prevent

Restricts execution of mobile code such as malicious JNLP files from untrusted public URLs by prohibiting use from untrusted sources and validating prior to execution.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms like antivirus to scan, detect, and prevent execution of the malicious JNLP exploiting the vulnerable component.

Security SummaryAI

CVE-2026-0500, published on 2026-01-13, stems from the use of a vulnerable third-party component in SAP Wily Introscope Enterprise Manager (WorkStation). This flaw, tied to CWE-94 (code injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). It allows the creation of a malicious Java Network Launch Protocol (JNLP) file that can be hosted at a public-facing URL.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a victim into clicking the malicious URL, which requires user interaction (UI:R). Upon access, the targeted Wily Introscope Server executes arbitrary OS commands on the victim's machine, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) while changing scope (S:C) for full system compromise.

SAP advisories provide mitigation details, including patches referenced in SAP Note 3668679 (https://me.sap.com/notes/3668679) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday).

Details

CWE(s): CWE-94

Affected Products

sap

introscope enterprise manager

10.8

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a code injection (CWE-94) in SAP Wily Introscope Workstation exploited via a malicious JNLP file from a public URL, requiring user interaction to launch, enabling client-side exploitation for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://me.sap.com/notes/3668679
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch, Vendor Advisory · cna@sap.com