CVE-2001-0554

EXPLOITED

MIT Kerberos - Remote Code Execution via Malformed Telnet AYT Option

Title source: llm

Exploitation Summary

CVE-2001-0554 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Dvorak.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in BSD-derived telnet daemons (CVE-2001-0554) by manipulating telnet protocol options to overflow a fixed-size buffer. It leverages heap manipulation to achieve remote code execution, specifically binding a shell to a port.

Description

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dvorak · cremoteunix

https://www.exploit-db.com/exploits/21018

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in BSD-derived telnet daemons (CVE-2001-0554) by manipulating telnet protocol options to overflow a fixed-size buffer. It leverages heap manipulation to achieve remote code execution, specifically binding a shell to a port.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: BSD-derived telnet daemons (e.g., netkit-telnetd 0.17)

No auth needed

Prerequisites: Network access to the telnet service · Vulnerable telnet daemon version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25

Core References

Broken Link vendor-advisory x_refsource_conectiva

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413

Broken Link vendor-advisory x_refsource_mandrake

http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-068.php3

Broken Link third-party-advisory government-resource x_refsource_ciac

http://www.ciac.org/ciac/bulletins/l-131.shtml

Broken Link vendor-advisory x_refsource_compaq

http://ftp.support.compaq.com/patches/.new/html/SSRT0745U.shtml

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/6875

Broken Link vdb-entry x_refsource_osvdb

http://www.osvdb.org/809

Broken Link, Third Party Advisory, VDB Entry vendor-advisory x_refsource_ibm

http://online.securityfocus.com/advisories/3476

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://online.securityfocus.com/archive/1/199496

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://online.securityfocus.com/archive/1/203000

Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/3064

Third Party Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2001-100.html

Broken Link vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2001_029_nkitb_txt.html

Broken Link vendor-advisory x_refsource_caldera

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.10/CSSA-2001-SCO.10.txt

Third Party Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2001-099.html

Third Party Advisory vendor-advisory x_refsource_cisco

http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml

Broken Link vendor-advisory x_refsource_hp

http://archives.neohapsis.com/archives/hp/2001-q4/0014.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2001/dsa-075

Exploit, Third Party Advisory, VDB Entry, Vendor Advisory mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/197804

Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.cert.org/advisories/CA-2001-21.html

Broken Link, Patch, Vendor Advisory vendor-advisory x_refsource_freebsd

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc

Broken Link vendor-advisory x_refsource_caldera

http://www.calderasystems.com/support/security/advisories/CSSA-2001-030.0.txt

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2001/dsa-070

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://online.securityfocus.com/archive/1/199541

Broken Link vendor-advisory x_refsource_sgi

ftp://patches.sgi.com/support/free/security/advisories/20010801-01-P

Broken Link vendor-advisory x_refsource_netbsd

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc

Scores

EPSS 0.3790

EPSS Percentile 98.4%

Details

VulnCheck KEV 2001-07-18

CWE

CWE-120

Status published

Products (43)

debian/debian_linux 2.2

freebsd/freebsd 2.0

freebsd/freebsd 2.0.1

freebsd/freebsd 2.0.5

freebsd/freebsd 2.1 stable

freebsd/freebsd 2.1.0

freebsd/freebsd 2.1.5

freebsd/freebsd 2.1.6

freebsd/freebsd 2.1.6.1

freebsd/freebsd 2.1.7

... and 33 more

Published Aug 14, 2001

Tracked Since Feb 18, 2026