CVE-2026-0500

CriticalRCE

Published: 13 January 2026

Published

13 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0017 38.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0500 is a critical-severity Code Injection (CWE-94) vulnerability in Sap Introscope Enterprise Manager. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the vulnerability in the third-party component of SAP Wily Introscope by requiring identification, reporting, and patching as specified in SAP Note 3668679.

SC-18 Mobile Code good match

prevent

Restricts execution of mobile code such as malicious JNLP files from untrusted public URLs by prohibiting use from untrusted sources and validating prior to execution.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms like antivirus to scan, detect, and prevent execution of the malicious JNLP exploiting the vulnerable component.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a code injection (CWE-94) in SAP Wily Introscope Workstation exploited via a malicious JNLP file from a public URL, requiring user interaction to launch, enabling client-side exploitation for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on…

the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.

Deeper analysisAI

CVE-2026-0500, published on 2026-01-13, stems from the use of a vulnerable third-party component in SAP Wily Introscope Enterprise Manager (WorkStation). This flaw, tied to CWE-94 (code injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). It allows the creation of a malicious Java Network Launch Protocol (JNLP) file that can be hosted at a public-facing URL.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a victim into clicking the malicious URL, which requires user interaction (UI:R). Upon access, the targeted Wily Introscope Server executes arbitrary OS commands on the victim's machine, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) while changing scope (S:C) for full system compromise.

SAP advisories provide mitigation details, including patches referenced in SAP Note 3668679 (https://me.sap.com/notes/3668679) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday).