A vulnerability in GNU inetutils-telnetd allows remote attackers to bypass authentication via the NEW_ENVIRON telnet option. By sending a crafted USER environment variable containing the value "-f root", an attacker can trick the login process into granting a root shell without credentials.

Affected Versions

GNU inetutils-telnetd versions prior to 2.6

Technical Details

The telnetd daemon passes the USER environment variable from NEW_ENVIRON negotiation directly to /bin/login. When the value is "-f root", login interprets this as a command-line flag indicating pre-authentication, bypassing password verification entirely.

Usage

./cve_2026_24061_telnetd.py <target> [port] [user]

echo "id; whoami" | ./cve_2026_24061_telnetd.py 192.168.1.1

Testing

A vulnerable test environment is provided via Docker.

docker build -t vuln-telnetd -f Dockerfile.vulnerable .
docker run -d -p 2323:23 --name vuln-telnetd vuln-telnetd

echo "id" | python3 cve_2026_24061_telnetd.py localhost 2323

References

https://www.gnu.org/software/inetutils/

https://nvd.nist.gov/vuln/detail/CVE-2026-24061

LEGAL DISCLAIMER

This proof-of-concept is provided for authorized security research and educational purposes only. Unauthorized access to computer systems is illegal. The authors assume no liability for misuse of this software. Users are solely responsible for ensuring they have proper authorization before testing any systems. By using this tool, you agree to use it only on systems you own or have explicit written permission to test.