CVE-1999-0051

FLEXlm 4.0-5.0 - Arbitrary File Creation and Program Execution

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-1999-0051. PoCs published by Joel Eriksson, Yuri Volobuev, Arthur Hagen.

AI-analyzed exploit summary This exploit leverages a symlink vulnerability in the Solaris License Manager (versions 2.5.1 and 2.6) to gain root access by manipulating lockfiles. The script creates a symlink to a target user's .rhosts file, allowing arbitrary command execution.

Description

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Joel Eriksson · bashlocalsolaris

https://www.exploit-db.com/exploits/19350

View Code ZIP pw:eip

This exploit leverages a symlink vulnerability in the Solaris License Manager (versions 2.5.1 and 2.6) to gain root access by manipulating lockfiles. The script creates a symlink to a target user's .rhosts file, allowing arbitrary command execution.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Solaris License Manager 2.5.1, 2.6

No auth needed

Prerequisites: Local access to the vulnerable system · Presence of vulnerable lockfiles in /var/tmp

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Yuri Volobuev · textlocalirix

https://www.exploit-db.com/exploits/19067

View Code ZIP pw:eip

This exploit leverages a vulnerability in LicenseManager(1M) to manipulate root-owned files by creating a symbolic link to /.rhosts, allowing an attacker to gain root access via rsh. The exploit involves setting up a malicious license file and triggering an update to overwrite the target file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: LicenseManager(1M) (FLEXlm/NetLS)

No auth needed

Prerequisites: Access to a system with LicenseManager(1M) installed · Ability to write to /tmp

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1205 - Traffic Signaling

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Arthur Hagen · textlocalirix

https://www.exploit-db.com/exploits/19066

View Code ZIP pw:eip

This exploit leverages a vulnerability in LicenseManager(1M) to overwrite root-owned files, such as /.rhosts or /etc/passwd, by manipulating the NETLS_LICENSE_FILE environment variable. The attack allows for privilege escalation to root by injecting arbitrary content into sensitive files.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: LicenseManager(1M) (FLEXlm/NetLS)

No auth needed

Prerequisites: Access to a system with LicenseManager(1M) installed · Ability to set environment variables

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0051

Scores

EPSS 0.0130

EPSS Percentile 66.6%

Details

Status published

Products (49)

globetrotter/flexlm 4.0

globetrotter/flexlm 4.1

globetrotter/flexlm 5.0

sgi/irix 3.3.2

sgi/irix 3.3.3

sgi/irix 4.0

sgi/irix 4.0.1

sgi/irix 4.0.1t

sgi/irix 4.0.2

sgi/irix 4.0.3

... and 39 more

Published Jan 06, 1997

Tracked Since Feb 18, 2026