CVE-1999-0526

EXPLOITED

X.org X11 - Unauthenticated Access Control Bypass via xhost Command

Title source: llm
STIX 2.1

Exploitation Summary

CVE-1999-0526 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including h00die, nir tzachar, including a Metasploit module auxiliary/scanner/x11/open_x11.

AI-analyzed exploit summary This Metasploit module scans for X11 servers that allow unauthenticated connections. It checks for open X11 servers on port 6000 and reports connection details if successful.

Description

An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

Exploits (3)

metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/x11/open_x11.rb

This Metasploit module scans for X11 servers that allow unauthenticated connections. It checks for open X11 servers on port 6000 and reports connection details if successful.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: X11 servers
No auth needed
Prerequisites: Network access to the target X11 server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by h00die, nir tzachar · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/x11_keyboard_spy.rb

This Metasploit module exploits an X11 session to log keystrokes by creating a background window and binding a keyboard to it. It polls the keyboard state at a high rate to capture key presses, though it may miss or repeat keystrokes due to polling limitations.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: X11 (X Window System)
No auth needed
Prerequisites: Access to an open X11 session (typically TCP port 6000)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/x11/x11_keyboard_exec.rb

This Metasploit module exploits open X11 servers by registering a virtual keyboard to simulate keystrokes, opening a terminal, and executing arbitrary commands. It leverages the X11 protocol to inject commands via synthetic keyboard input.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: X11 Server (open/unauthenticated instances)
No auth needed
Prerequisites: Access to an open X11 server (typically port 6000) · X11 server configured to allow remote connections
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/704969

Scores

EPSS 0.7265
EPSS Percentile 98.8%

Details

VulnCheck KEV 2025-02-27
Status published
Products (1)
x.org/x11 7.1_1.1.0
Published Jul 01, 1997
Tracked Since Feb 18, 2026