module

GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061

Try Surface Command
Back to search
Disclosed
Jan 26, 2026
Created
Feb 12, 2026

Description

The telnetd service from GNU InetUtils is vulnerable to authentication-bypass, tracked as CVE-2026-24061, in
versions up to version 2.7. During Telnet authentication the SB byte can be sent to indicate sub-negotiation which
allows for the exchange of sub-option parameters after both parties have agreed to enable a specific functional option.
Environment variables can be sent as sub-options and it's the USER environment variable which introduces the
authentication bypass in this scenario. When the USER environment variable gets sent to the GNU inetutils telnetd
service during authentication, the variable gets appended without proper sanitization to an execv call to the
/usr/bin/login binary. The login binary has a -f flag which skips authentication for a specific user. So the exploit
sets the `USER` environment variable to -f root and the telnetd service responds with a root shell.

Authors

jheysel-r7
Kyu Neushwaistein

Platform

Linux,Unix

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/telnet/gnu_inetutils_auth_bypass
    msf exploit(gnu_inetutils_auth_bypass) > show targets
        ...targets...
    msf exploit(gnu_inetutils_auth_bypass) > set TARGET < target-id >
    msf exploit(gnu_inetutils_auth_bypass) > show options
        ...show and set options...
    msf exploit(gnu_inetutils_auth_bypass) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today