GNU Inetutils telnetd Unauthenticated Root RCE via NEW-ENVIRON (CVE-2026-24061)
by Ashraf Zaryouh / 0xBlackash · 2026-06-30
- Severity
- Critical
- CVE
- CVE-2026-24061
- Category
- network
- Affected product
- GNU Inetutils telnetd
- Affected versions
- 1.9.3 through 2.7; Debian Linux 11.0 ships vulnerable version
- Disclosed
- 2026-06-30
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | Ashraf Zaryouh / 0xBlackash |
| CVE / Advisory | CVE-2026-24061 |
| Category | network |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3.1; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Status | Weaponized |
| Tags | RCE, unauthenticated, authentication-bypass, telnetd, GNU-Inetutils, NEW-ENVIRON, legacy, OT, CISA-KEV, active-exploitation, Python |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | GNU Inetutils telnetd |
| Versions Affected | 1.9.3 through 2.7; Debian Linux 11.0 ships vulnerable version |
| Language / Platform | Python (PoC); C / Linux (target daemon) |
| Authentication Required | No (unauthenticated network attacker) |
| Network Access Required | Yes (TCP port 23) |
Summary
CVE-2026-24061 is a critical authentication bypass in GNU Inetutils telnetd that grants an unauthenticated network attacker an immediate root shell. The NEW-ENVIRON Telnet option handler passes the USER environment variable unsanitised to /bin/login. Setting USER=-f root causes login to treat the session as pre-authenticated root, skipping all password verification. CISA added CVE-2026-24061 to the Known Exploited Vulnerabilities (KEV) catalog in January 2026, with a remediation deadline of 02/16/2026. Mass exploitation against legacy and OT systems was observed shortly after public disclosure. Fixed in GNU Inetutils 2.8 (two patch commits on Codeberg).
Vulnerability Details
Root Cause
When a Telnet client negotiates NEW-ENVIRON, telnetd receives environment variables including USER and forwards them to /bin/login via execve. The USER value is not sanitised before being passed as arguments. Because /bin/login accepts -f <user> to skip authentication for already-verified users, injecting -f root as the USER value results in:
execve("/bin/login", ["login", "-f", "root", ...], ...)
Login sees the -f flag, skips password verification, and grants a root shell.
CWE-88 (Improper Neutralization of Argument Delimiters in a Command).
Attack Steps
- Connect to telnetd on TCP/23.
- During the Telnet option negotiation phase, send
NEW-ENVIRONwithUSER=-f root. telnetdforwards the value to/bin/login— authentication is skipped.- Attacker receives a root shell prompt.
One-liner
| |
Impact
- Immediate unauthenticated root shell over the network.
- Full system compromise:
/etc/shadowreadable, persistence trivial. - High risk in legacy environments, OT/ICS networks, and embedded systems where telnetd is still running.
- Active exploitation in the wild confirmed January–February 2026.
Environment / Lab Setup
Target: Debian 11 / any host running GNU Inetutils telnetd 1.9.3–2.7
Attacker: Python 3 with telnetlib or standard telnet client
Proof of Concept
Python PoC
| |
Manual One-liner
| |
Expected Output
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
root@legacy-box:~# whoami
root
root@legacy-box:~# id
uid=0(root) gid=0(root) groups=0(root)
root@legacy-box:~# cat /etc/shadow
root:$6$...
Detection & Indicators of Compromise
| |
Immediate mitigation:
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade GNU Inetutils to 2.8+ (Codeberg commits ccba9f748aa8d50a and fd702c02497b2f39) |
| Disable | Disable telnetd entirely; replace with SSH |
| Firewall | Block TCP/23 from untrusted networks at perimeter and host level |
| CISA KEV | Required remediation deadline was 02/16/2026 — treat any unpatched hosts as compromised |
References
| |