We use Nessus (Security Center) for vulnerability and compliance scanning of all endpoints, and we recently had both CSAs show up with "X Server Detection" on TCP port 6000.
Internal Nessus Scan Determined:
X Server Detection (10407)
The remote host is running an X11 server. X11 is a client-server
protocol that can be used to display graphical applications running on
a given host on a remote client.
Since the X11 traffic is not ciphered, it is possible for an attacker
to eavesdrop on the connection.
Is the X11 service used/needed on the CSAs? They are VMware VMs that we access via the vSphere web client (version 126.96.36.199).