Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

Remote Code Execution in SAP Wily Introscope Enterprise Manager

🔴 HOTNEWS CRITICAL
CVE-2026-0500
CVSS 9.6 CRITICAL
SAP Note #3668679

Vulnerability Summary

Due to remote code execution vulnerability in SAP Wily Introscope Enterprise Manager, an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by URL. When a victim clicks on the URL, the accessed Wily Introscope Server could execute commands on the victim's application. This could completely compromise the confidentiality, integrity and availability of the application.

CVSS v3.0 Assessment

Base Score
9.6
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Technical Details

⚠️ Attack Mechanism

JNLP File Injection leading to Remote Code Execution on WorkStation

The vulnerability exists in the JNLP generation code where request parameters are not properly validated. An unauthenticated attacker can craft a malicious JNLP file and make it accessible via URL. When a victim clicks on this URL, the Wily Introscope Server processes the malicious JNLP file, which can:

  • Execute arbitrary commands on the victim's workstation
  • Gain complete control over the application environment
  • Access sensitive performance monitoring data
  • Manipulate monitoring configurations and alerts
  • Establish persistent backdoor access
  • Launch attacks against other systems in the monitoring infrastructure

Affected Software Components

INTROSCOPE version 10.7
INTROSCOPE version 10.8 SP01

Solution

✅ Recommended Fix

With the fix provided, the JNLP generation code has been updated. All request parameters are now properly handled and validated. This ensures the JNLP is generated correctly and contains no unintended or harmful code, preserving system security and reliability.

Please install Enterprise Manager 10.8 SP01 Patch 2 (10.8.0.220), which contains the fix. Please refer to release note 3247270 for more details.

Alternate Solution

💡 Alternative Approach

Customers can switch to their respective standalone workstation package from the Software Center instead of launching the application via the .jnlp file. The standalone package provides the same application functionality without relying on JNLP launch, completely eliminating this attack vector.

Workaround

There is no workaround available for this vulnerability. Organizations must either apply the security patch or migrate to the standalone workstation package.

Additional Resources

Refer to FAQ document 3702381 regarding the scope and implementation of this SAP Security Note.

Disclosure Date: January 13, 2026 SAP Security Patch Day

For more information, visit SAP Security Notes

Explore More

SAP Security Patch Day January 2026

January 13, 2026

SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release