Cyber Resilience

CVE-2026-0500

CriticalRCE

Published: 13 January 2026

Published
13 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0035 26.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0500 is a critical-severity Code Injection (CWE-94) vulnerability in Sap Introscope Enterprise Manager. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0500, published on 2026-01-13, stems from the use of a vulnerable third-party component in SAP Wily Introscope Enterprise Manager (WorkStation). This flaw, tied to CWE-94 (code injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). It allows the creation of a malicious Java Network Launch Protocol (JNLP) file that can be hosted at a public-facing URL.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a victim into clicking the malicious URL, which requires user interaction (UI:R). Upon access, the targeted Wily Introscope Server executes arbitrary OS commands on the victim's machine, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) while changing scope (S:C) for full system compromise.

SAP advisories provide mitigation details, including patches referenced in SAP Note 3668679 (https://me.sap.com/notes/3668679) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on…

more

the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability is a code injection (CWE-94) in SAP Wily Introscope Workstation exploited via a malicious JNLP file from a public URL, requiring user interaction to launch, enabling client-side exploitation for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0498Same vendor: Sap
CVE-2024-57061Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2025-25467Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2024-43767Shared CWE-94
CVE-2026-21853Shared CWE-94
CVE-2026-0508Same vendor: Sap
CVE-2026-23689Same vendor: Sap
CVE-2025-54063Shared CWE-94

Affected Assets

sap
introscope enterprise manager
10.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability in the third-party component of SAP Wily Introscope by requiring identification, reporting, and patching as specified in SAP Note 3668679.

prevent

Restricts execution of mobile code such as malicious JNLP files from untrusted public URLs by prohibiting use from untrusted sources and validating prior to execution.

preventdetect

Deploys malicious code protection mechanisms like antivirus to scan, detect, and prevent execution of the malicious JNLP exploiting the vulnerable component.

References