CVE-2007-0882

Solaris 10 and 11 - Unauthenticated Argument Injection in telnetd via -f Sequence

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2007-0882. PoCs published by Metasploit, MC, kingcope, including Metasploit module exploits/solaris/telnet/fuser.

AI-analyzed exploit summary This Metasploit module exploits an argument injection vulnerability in Solaris 10/11 telnet daemon (in.telnetd) to bypass authentication and execute arbitrary commands. It manipulates telnet protocol negotiations to set environment variables and inject a payload.

Description

Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotesolaris
https://www.exploit-db.com/exploits/16328

This Metasploit module exploits an argument injection vulnerability in Solaris 10/11 telnet daemon (in.telnetd) to bypass authentication and execute arbitrary commands. It manipulates telnet protocol negotiations to set environment variables and inject a payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Solaris 10/11 in.telnetd
No auth needed
Prerequisites: Network access to target's telnet service (port 23) · Solaris 10/11 target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by MC · rubyremotesolaris
https://www.exploit-db.com/exploits/9918

This exploit leverages an argument injection vulnerability in Sun Solaris telnet daemon (in.telnetd) to bypass authentication and execute arbitrary commands. It manipulates telnet protocol negotiations to set environment variables and inject a payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Solaris 10 and 11 telnet daemon (in.telnetd)
No auth needed
Prerequisites: Network access to the target's telnet service (port 23) · Telnet service running on Solaris 10 or 11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kingcope · bashremotesolaris
https://www.exploit-db.com/exploits/3293

This exploit leverages a vulnerability in SunOS 5.10/5.11 in.telnetd by injecting a malformed username (-f<account>) to bypass authentication and gain remote access. The script automates the telnet command with the crafted payload.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SunOS 5.10/5.11 in.telnetd
No auth needed
Prerequisites: network access to target · telnet service running on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by MC · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/telnet/fuser.rb

This Metasploit module exploits an argument injection vulnerability in Solaris telnetd (CVE-2007-0882) to bypass authentication and execute arbitrary commands. It manipulates telnet protocol negotiations to set environment variables and inject a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Solaris 10/11 telnetd (in.telnetd)
No auth needed
Prerequisites: Network access to target's telnet port (23) · Solaris 10/11 target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0560
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/32434
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460086/100/100/threaded
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017625
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/22512
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460103/100/100/threaded
Broken Link, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-059A.html
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/459843/100/0/threaded
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/881872
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24120
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2007/Feb/0217.html
Exploit, Third Party Advisory x_refsource_misc
http://isc.sans.org/diary.html?storyid=2220
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/31881
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/459831/100/0/threaded
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/459980/100/0/threaded
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/459855/100/0/threaded

Scores

EPSS 0.9774
EPSS Percentile 99.9%

Details

CWE
CWE-88
Status published
Products (4)
oracle/solaris 10
oracle/solaris 11
sun/sunos 5.10
sun/sunos 5.11
Published Feb 12, 2007
Tracked Since Feb 18, 2026