{
  "cve": "CVE-2026-24061",
  "name": "Telnet NEW_ENVIRON Authentication Bypass & Remote Code Execution",
  "description": "Improper sanitization of USER environment variable during Telnet NEW_ENVIRON subnegotiation allows authentication bypass and privilege escalation to root",
  "severity": "CRITICAL",
  "cvss_score": 9.8,
  "attack_vector": "NETWORK",
  "requires_auth": false,
  "exploit_available": true,
  "references": [
    "https://github.com/SafeBreach-Labs/CVE-2026-24061",
    "https://github.com/TryA9ain/CVE-2026-24061"
  ],
  "vulnerable_versions": [
    {
      "daemon": "netkit-telnetd",
      "vendor": "netkit",
      "version_pattern": "^0\\.17(\\..*)?$",
      "description": "netkit-telnetd version 0.17 and variants",
      "platforms": ["Linux"],
      "confidence": "high"
    },
    {
      "daemon": "bsd-telnetd",
      "vendor": "BSD",
      "version_pattern": "^0\\.[0-5](\\..*)?$",
      "description": "BSD telnetd versions 0.0 through 0.5",
      "platforms": ["BSD", "FreeBSD", "OpenBSD"],
      "confidence": "high"
    },
    {
      "daemon": "inetutils-telnetd",
      "vendor": "GNU",
      "version_pattern": "^[12]\\.",
      "description": "GNU inetutils telnetd versions 1.x and 2.x (all versions affected)",
      "platforms": ["Linux"],
      "confidence": "high"
    },
    {
      "daemon": "telnetd",
      "vendor": "generic",
      "version_pattern": ".*",
      "description": "Generic telnetd implementations (requires manual verification)",
      "platforms": ["Linux", "Unix", "IoT"],
      "confidence": "low"
    }
  ],
  "patched_versions": [
    {
      "daemon": "netkit-telnetd",
      "version": "0.18+",
      "notes": "Properly sanitizes USER environment variable"
    },
    {
      "daemon": "bsd-telnetd",
      "version": "0.6+",
      "notes": "Implements validation for NEW_ENVIRON variables"
    }
  ],
  "detection_indicators": {
    "new_environ_support": true,
    "banner_keywords": ["telnetd", "Telnet", "Welcome"],
    "vulnerable_option_code": 39,
    "subnegotiation_required": true
  },
  "exploitation": {
    "method": "NEW_ENVIRON subnegotiation with malicious USER variable",
    "payload": "-f root",
    "mechanism": "Command-line argument injection during authentication",
    "impact": "Complete system compromise with root privileges",
    "bypass_techniques": [
      "Password authentication bypass",
      "Privilege escalation to root",
      "No user interaction required"
    ]
  },
  "last_updated": "2026-01-28",
  "signature_version": "1.0.0"
}