CVE-2026-24061 Splunk · SPL

Detect GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061) in Splunk

CVE-2026-24061 is an argument injection vulnerability (CWE-88) in GNU InetUtils affecting utilities such as telnet, ftp, rsh, rcp, and related tools. An attacker who can control arguments passed to InetUtils binaries may inject additional command-line options, potentially enabling unauthorized network access, privilege escalation, or lateral movement. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Lateral Movement Command and Control Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("linux_audit", "syslog", "WinEventLog:Security", "xmlwineventlog")
("telnet" OR "ftp" OR "rsh" OR "rcp" OR "rlogin" OR "tftp")
| eval cmd=coalesce(CommandLine, process, message)
| where match(cmd, "(?i)(telnet|ftp|rsh|rcp|rlogin|tftp)")
| where match(cmd, "(?i)(-[a-zA-Z]{1,3}=|%0[aAdD]|\\\\x[0-9a-fA-F]{2}|;\\s*(bash|sh|nc|curl|wget|python|perl)|\\\\n|\\\\r)")
| eval risk_score=case(
    match(cmd, "(?i)(bash|sh|nc|curl|wget|python|perl)"), 90,
    match(cmd, "%0[aAdD]"), 80,
    match(cmd, "-[a-zA-Z]{1,3}="), 60,
    true(), 50
  )
| eval injected_arg=mvindex(split(cmd, " "), 2)
| table _time, host, user, cmd, injected_arg, risk_score
| sort - risk_score, _time
high severity medium confidence

Splunk query detecting argument injection attempts against GNU InetUtils binaries by correlating process execution logs across Linux audit, syslog, and Windows event sources for suspicious option-injection patterns.

Data Sources

Linux AuditdSyslogWindows Event Logs

Required Sourcetypes

linux_auditsyslogWinEventLog:Security

False Positives & Tuning

  • Network operations scripts that pass complex argument strings to FTP or Telnet for automated transfers
  • Penetration testing tooling that legitimately exercises InetUtils argument parsing
  • Configuration management pipelines using InetUtils for connectivity testing with non-standard flags
  • Legacy backup or monitoring scripts invoking rcp or rsh with concatenated argument strings

Other platforms for CVE-2026-24061

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1InetUtils telnet argument injection via newline encoding

    Expected signal: Auditd EXECVE record showing argv[1] containing a newline character followed by '-l root'; process event logs capturing the raw command-line string with embedded newline.

  2. Test 2InetUtils ftp option-value injection via concatenated argument

    Expected signal: Process execution event showing ftp launched with argument '-o-p', captured by auditd EXECVE or EDR process telemetry.

  3. Test 3InetUtils rsh argument injection leading to shell spawning

    Expected signal: Process launch event for rsh with semicolon-delimited command in arguments; potential child process event for shell spawned to execute 'id'; file creation event for /tmp/argus_injection_test.txt.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-24061 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0008Lateral MovementTA0011Command and ControlTA0004Privilege Escalation

Related Techniques

T1059Command and Scripting InterpreterT1021Remote ServicesT1078Valid Accounts

Same Tactic: Lateral Movement

Popular Detections