🧠 CVE-2026-24061

Primary: 01 - Network Security

Secondary: 02 - Remote Code Execution

What is it?

• Concept: A 9.8 (Critical) vulnerability in GNU Inetutils Telnetd. The daemon does not safely sanitize the input from the user and allows Argument Injection.
• Impact: This vulnerability allows unauthenticated user to immediately gain interactive root shell on the target machine.

How it works

The exploit leverages the telnet protocol negotiation phase:

1. Initial Connection: TCP connection established to target port
2. Option Negotiation: Server sends DO/WILL commands for various telnet options
3. TTYPE Agreement: Client agrees to send terminal type (WILL TTYPE)
4. TSPEED Agreement: Client agrees to send terminal speed (WILL TSPEED)
5. NEW_ENVIRON Agreement: Client agrees to send environment variables (WILL NEW_ENVIRON)
6. Subnegotiation: Server requests environment variables (SB NEW_ENVIRON SEND)
7. Payload Injection: Client sends USER=“-f root” in NEW_ENVIRON response
8. Authentication Bypass: Server processes malicious USER variable
9. Shell Access: Root shell granted without authentication

Exploitation

Prerequisites: The remote Telnetd server has to utilize /bin/login to handle autologin feature.

Attack Vectors

1. Bash exploit

USER="-f root" telnet -a <target>

This exploit forces Telnet to use autologin (the -a flag) and send the malicious payload to the remote server. The daemon on the server will then inject the unsanitized payload to /bin/login and execute the root shell.

2. Proof of Concept You can also use the PoC version here

Mitigation

• Fix: Update GNU Inetutils Telnetd to the latest version.

---

References: Exploit Repo