Detect GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061) in Microsoft Sentinel
CVE-2026-24061 is an argument injection vulnerability (CWE-88) in GNU InetUtils affecting utilities such as telnet, ftp, rsh, rcp, and related tools. An attacker who can control arguments passed to InetUtils binaries may inject additional command-line options, potentially enabling unauthorized network access, privilege escalation, or lateral movement. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
MITRE ATT&CK
KQL Detection Query
let InetUtilsBinaries = dynamic(["telnet", "ftp", "rsh", "rcp", "rlogin", "tftp", "ping", "traceroute"]);
DeviceProcessEvents
| where FileName in~ (InetUtilsBinaries) or ProcessCommandLine has_any (InetUtilsBinaries)
| where ProcessCommandLine matches regex @"(?i)(\s-[a-zA-Z]{1,3}\s*=|\\x[0-9a-fA-F]{2}|%0[aAdD]|\\n|\\r|;\s*(bash|sh|nc|curl|wget|python|perl))"
| extend SuspiciousArg = extract(@"(\S*(?:-[a-zA-Z]=|%0[aAdD]|;\s*\S+)\S*)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SuspiciousArg, FolderPath
| union (
Syslog
| where Facility == "auth" or SyslogMessage has_any (InetUtilsBinaries)
| where SyslogMessage matches regex @"(?i)(telnet|ftp|rsh|rcp|rlogin).*(-[a-zA-Z]+=|;\s*(bash|sh|nc|curl|wget))"
| project TimeGenerated, Computer, SyslogMessage
)
| order by TimeGenerated descDetects suspicious argument injection patterns in GNU InetUtils binaries (telnet, ftp, rsh, rcp, rlogin, etc.) by identifying command lines containing option-injection sequences, shell metacharacters, or unusual flag combinations that may exploit CVE-2026-24061.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network administrators using InetUtils with complex argument strings for scripted network diagnostics
- Automated configuration management tools (Ansible, Chef, Puppet) invoking InetUtils with unusual flags
- Security scanners or vulnerability assessment tools that exercise InetUtils argument parsing
- Legacy application wrappers that pass concatenated argument strings to InetUtils binaries
Other platforms for CVE-2026-24061
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1InetUtils telnet argument injection via newline encoding
Expected signal: Auditd EXECVE record showing argv[1] containing a newline character followed by '-l root'; process event logs capturing the raw command-line string with embedded newline.
- Test 2InetUtils ftp option-value injection via concatenated argument
Expected signal: Process execution event showing ftp launched with argument '-o-p', captured by auditd EXECVE or EDR process telemetry.
- Test 3InetUtils rsh argument injection leading to shell spawning
Expected signal: Process launch event for rsh with semicolon-delimited command in arguments; potential child process event for shell spawned to execute 'id'; file creation event for /tmp/argus_injection_test.txt.
Unlock Pro Content
Get the full detection package for CVE-2026-24061 including response playbook, investigation guide, and atomic red team tests.