CVE-1999-0006

CRITICAL

Qualcomm qpopper - Buffer Overflow via Long PASS Command

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-0006. PoCs published by Miroslaw Grzybek, Seth McGann.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Qualcomm's qpopper prior to version 2.5. It sends a crafted payload to port 110 (POP3) to achieve remote code execution, providing a root shell.

Description

Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Miroslaw Grzybek · cremoteunix

https://www.exploit-db.com/exploits/19110

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Qualcomm's qpopper prior to version 2.5. It sends a crafted payload to port 110 (POP3) to achieve remote code execution, providing a root shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Qualcomm qpopper < 2.5

No auth needed

Prerequisites: Network access to port 110 (POP3) · Vulnerable version of qpopper

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Seth McGann · cremotelinux

https://www.exploit-db.com/exploits/19109

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Qualcomm's qpopper versions prior to 2.5. It crafts a malicious payload with NOP sleds and shellcode to achieve remote code execution via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Qualcomm qpopper < 2.5

No auth needed

Prerequisites: Network access to the target's POP3 service (port 110) · Vulnerable version of qpopper running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_sgi

ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/133

Scores

CVSS v3 9.8

EPSS 0.0768

EPSS Percentile 92.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-125

Status published

Products (1)

qualcomm/qpopper 2.4

Published Jul 14, 1998

Tracked Since Feb 18, 2026