CVE-1999-0526
published 1997-07-01CVE-1999-0526: An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.98%
97.3th percentile
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| x.org | x11 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Scan for unauthenticated X11 servers accepting connections from any host — indicative of 'xhost +' misconfiguration exploited by CVE-1999-0526. ↗
- →Monitor for X11 clients connecting and creating background windows with keyboard bindings — a keylogging technique used post-exploitation against open X11 servers. ↗
- →Alert on X11 connections that register a virtual keyboard and subsequently spawn xterm or gnome-terminal processes — indicative of command injection via open X11. ↗
- →CVE-1999-0526 continues to generate significant active scanning traffic at scale — treat open X11 exposure as actively exploited, not merely theoretical. ↗
- ·The X11 keylogger module is an imperfect logger — keystrokes are not stored and forwarded but status displayed at poll time, and keys may be repeated or missing. Detection based on keystroke capture artifacts may be unreliable. ↗
- ·Over 52% of RCE-category attacking IPs had no prior threat-feed history, meaning static IP blocklists will miss the majority of fresh attacker infrastructure scanning for open X11 and similar exposures. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fv34-2r8h-94mm: An X server's access control is disabled (e
ghsa_unreviewed·2022-04-30
CVE-1999-0526 [HIGH] GHSA-fv34-2r8h-94mm: An X server's access control is disabled (e
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
VulnCheck
X Server Disabled Access Control Vulnerability
vulncheck·1999·CVSS 10.0
CVE-1999-0526 [CRITICAL] X Server Disabled Access Control Vulnerability
X Server Disabled Access Control Vulnerability
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
Affected: x.org x11
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://censys.com/on-the-internet-everything-old-is-exploitable-again/; https://4282754.hs-sites.com/hubfs/resources/GreyNoise-2026-State-of-the-Edge-Report.pdf
No detection rules found.
Metasploit
X11 No-Auth Scanner
metasploit
X11 No-Auth Scanner
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication.
Metasploit
X11 Keylogger
metasploit
X11 Keylogger
X11 Keylogger
This module binds to an open X11 host to log keystrokes. This is a fairly close copy of the old xspy c program which has been on Kali for a long time. The module works by connecting to the X11 session, creating a background window, binding a keyboard to it and creating a notification alert when a key is pressed. One of the major limitations of xspy, and thus this module, is that it polls at a very fast rate, faster than a key being pressed is released (especially before the repeat delay is hit). To combat printing multiple characters for a single key press, repeat characters arent printed when typed in a very fast manor. This is also an imperfect keylogger in that keystrokes arent stored and forwarded but status displayed at poll time. Keys may be repeated or missing.
Metasploit
X11 Keyboard Command Injection
metasploit
X11 Keyboard Command Injection
X11 Keyboard Command Injection
This module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload.
Greynoiseio
2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short
blogs_greynoiseio·2026-02-24
2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
2026 State of the Edge Report
blogs_greynoiseio
2026 State of the Edge Report
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Releases 2026 State of the Edge Report: More Than Half of Remote Code Execution Attempts Originate From Previously Unseen IPs
blogs_greynoiseio
GreyNoise Releases 2026 State of the Edge Report: More Than Half of Remote Code Execution Attempts Originate From Previously Unseen IPs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
1997-07-01
Published
Exploited in the wild