LiveActive security incident?Get immediate response
CVE Record

CVE-1999-0637: The systat service is running.

The systat service is running.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This entry flags that the systat service is running on a host. Systat is a legacy Unix information service that, when enabled, allows anyone who can reach it over the network to view details about system users, processes, and status. It is an information-disclosure exposure rather than a direct compromise, but the leaked details can help an attacker plan a follow-on attack.

Executive priority

Low priority. Treat as legacy hygiene: sweep for the service during routine port audits and disable where found. No emergency change is warranted unless a legacy Unix or appliance fleet is known to still run inetd services.

Technical view

CVE-1999-0637 describes the systat service being enabled and reachable. Systat historically listens on TCP port 11 and returns output from commands like who or ps to any requester without authentication. The CVE record contains no vendor, product, CVSS, CWE, or KEV data. Exposure depends on whether inetd or an equivalent super-server is still publishing the service on a reachable interface.

Likely exposure

Very limited in modern environments. Systat is disabled by default on contemporary Linux and BSD distributions and is rarely enabled intentionally. Residual exposure is most likely on legacy Unix hosts, embedded appliances, or lab systems where inetd-style services were never audited.

Exploitation context

Not listed in CISA KEV and no active exploitation is cited in the provided sources. The issue is characterized as information disclosure that supports reconnaissance rather than a directly exploitable vulnerability. Any exposure would be trivially discoverable through a network port scan of TCP/11.

Researcher notes

The CVE record is a minimal 1999-era "service is running" entry with no CVSS, CWE, affected product, or reference beyond the CVE.org record itself. Treat it as a configuration finding rather than a software flaw. Confirm scope by fingerprinting TCP/11 responses and correlating with inetd-style service inventories. No vendor advisories are cited in the bundle.

Mitigation direction

  • Disable the systat entry in inetd.conf or xinetd configuration and reload the super-server.
  • Block inbound TCP port 11 at host and perimeter firewalls.
  • Uninstall legacy netkit or bsd-services packages that provide systat if unused.
  • Restrict management interfaces to trusted administrative networks only.
  • Consult vendor guidance for any appliance that ships systat enabled.

Validation and detection

  • Scan target hosts for an open TCP port 11 and confirm no banner or process listing is returned.
  • Inspect inetd.conf, xinetd.d, or systemd socket units for a systat entry and confirm it is disabled.
  • Review firewall rules to verify TCP/11 is denied at ingress.
  • Check asset inventory for legacy Unix hosts that may still expose finger-family services.
Prepared
Confidence
medium
Sources
2

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-1999-0637 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.