## https://sploitus.com/exploit?id=7C5068FE-EA15-504A-95F0-70955D13987E
# CVE-2026-24061 β telnetd Authentication Bypass PoC



> π¨Critical authentication bypass in `telnetd` leading to RCE as root
> Affects systems with telnetd versions containing the vulnerability from 2015 onwards
---
## π§ About
This PoC demonstrates **CVE-2026-24061**, a critical authentication bypass vulnerability in telnetd that has existed undetected for 11 years. The vulnerability stems from improper handling of the USER environment variable in telnetd's login process.
The vulnerability exists because:
1. In 2015, a commit added dynamic username handling (%U) to the login template to support auto-login: `/usr/bin/login -p -h %h %?u{-f %u}{%U}`
2. Thanks to RFC 1572, telnet clients can send environment variables (including USER) completely unsanitized
3. Setting USER=`-f root` gets injected directly into the command as %U, becoming: `/usr/bin/login ... -f root`
4. The -f flag tells login: `this user is already authenticated elsewhere skip the password check entirely`
This results in an instant root shell without authentication, with a CVSS score of 9.8.
---
## π Requirements
- Affected `telnetd` version: **β€ 2.7**
- Network access to target telnet service (ex. port 23)
- No special privileges required on the attacking system
## π Usage
- ```bash
git clone https://github.com/cyberpoul/CVE-2026-24061-POC
- ```bash
cd CVE-2026-24061-POC
- ```bash
python cve-2026-24061-poc.py
## π‘οΈ Mitigation
- Patch telnetd immediately as soon as patches are available even better `disable telnetd entirely and use SSH instead`
- Block telnet traffic at the network perimeter and implement network segmentation to limit telnet exposure
## π References
- [NVD Entry β CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
- [RFC 1572 - Telnet Environment Option](https://datatracker.ietf.org/doc/html/rfc1572)