cbcvebase.
CVE-1999-0526
published 1997-07-01

CVE-1999-0526: An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.98%
97.3th percentile
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
x.orgx11

Detection & IOCsextracted from sources · hover to see the quote

port6000
commandxhost +
  • Scan for unauthenticated X11 servers accepting connections from any host — indicative of 'xhost +' misconfiguration exploited by CVE-1999-0526.
  • Monitor for X11 clients connecting and creating background windows with keyboard bindings — a keylogging technique used post-exploitation against open X11 servers.
  • Alert on X11 connections that register a virtual keyboard and subsequently spawn xterm or gnome-terminal processes — indicative of command injection via open X11.
  • CVE-1999-0526 continues to generate significant active scanning traffic at scale — treat open X11 exposure as actively exploited, not merely theoretical.
  • ·The X11 keylogger module is an imperfect logger — keystrokes are not stored and forwarded but status displayed at poll time, and keys may be repeated or missing. Detection based on keystroke capture artifacts may be unreliable.
  • ·Over 52% of RCE-category attacking IPs had no prior threat-feed history, meaning static IP blocklists will miss the majority of fresh attacker infrastructure scanning for open X11 and similar exposures.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.