CVE-2011-4862

EXPLOITED IN THE WILD

GNU inetutils < 1.9 - Remote Code Execution via Long Encryption Key

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2011-4862 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 10 public exploits from researchers including Metasploit, NighterMan & BatchDrake, hdbreaker, including a Metasploit module auxiliary/scanner/telnet/telnet_encrypt_overflow.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the encryption option handler of Linux BSD-derived telnet services (inetutils or krb5-telnet). It sends a maliciously crafted encryption key ID to achieve remote code execution.

Description

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/18368

This Metasploit module exploits a buffer overflow in the encryption option handler of Linux BSD-derived telnet services (inetutils or krb5-telnet). It sends a maliciously crafted encryption key ID to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Linux BSD-derived telnet service (inetutils or krb5-telnet)
No auth needed
Prerequisites: Target must be running a vulnerable BSD-derived telnet service · Network access to the telnet port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotebsd
https://www.exploit-db.com/exploits/18369

This exploit targets a buffer overflow in the FreeBSD telnet service's encryption option handler (CVE-2011-4862). It sends a crafted payload to trigger the vulnerability, leading to remote code execution with elevated privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD telnet service (versions 5.3, 6.0-6.4, 7.0-7.4, 8.0-8.2)
No auth needed
Prerequisites: Network access to the target's telnet service · Telnet service with encryption enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by NighterMan & BatchDrake · cremotelinux
https://www.exploit-db.com/exploits/18280

This exploit targets a vulnerability in telnetd's encryption key ID handling (CVE-2011-4862) to achieve remote code execution. It uses a buffer overflow to overwrite a function pointer and trigger shellcode execution, supporting multiple targets including Linux, BSD, and SPARC systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: telnetd (multiple versions including Inetutils, Heimdal, FreeBSD, NetBSD)
No auth needed
Prerequisites: Network access to vulnerable telnetd service · Target system must be running a vulnerable version of telnetd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by hdbreaker · remote
https://github.com/hdbreaker/GO-CVE-2011-4862

This is a Go-based exploit for CVE-2011-4862, targeting a buffer overflow vulnerability in the telnet service. It includes shellcode execution for remote command execution (RCE) via a crafted payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Telnet service (specific version not specified in code)
No auth needed
Prerequisites: Network access to vulnerable telnet service · Target system must be running vulnerable telnet version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by appsecrani · poc
https://github.com/appsecrani/CVE-2011-4862

This repository provides a technical analysis and patch for CVE-2011-4862, a buffer overflow vulnerability in FreeBSD's telnetd. The patch adds a length check to prevent overflow by setting len to 0 if it exceeds MAXKEYLEN.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD telnetd (heimdal and contrib versions)
No auth needed
Prerequisites: Access to vulnerable FreeBSD telnetd service
devstral-2 · analyzed Feb 20, 2026 Full analysis →
nomisec WRITEUP 1 stars
by kpawar2410 · poc
https://github.com/kpawar2410/CVE-2011-4862

This repository provides a patch for CVE-2011-4862, a buffer overflow vulnerability in FreeBSD's telnetd. The patch adds a length check to prevent overflow by setting len to 0 if it exceeds MAXKEYLEN.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: FreeBSD telnetd (heimdal and contrib telnet libraries)
No auth needed
Prerequisites: Access to a vulnerable FreeBSD system with telnetd enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by lol-fi · poc
https://github.com/lol-fi/cve-2011-4862

This repository contains a writeup and a custom patch for CVE-2011-4862, a buffer overflow vulnerability in FreeBSD's telnetd. The author describes their approach to patching the vulnerability and provides instructions for applying the patch.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: FreeBSD telnetd
No auth needed
Prerequisites: Access to FreeBSD system with vulnerable telnetd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb

This Metasploit module scans for a buffer overflow vulnerability in BSD-derived telnetd services by sending malformed encryption key ID packets and checking for abnormal responses. It does not exploit the vulnerability but detects its presence.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: BSD-derived telnetd (e.g., FreeBSD, NetBSD, OpenBSD)
No auth needed
Prerequisites: Network access to the target's telnet service (port 23)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb

This Metasploit module exploits a buffer overflow in the encryption option handler of Linux BSD-derived telnet services (inetutils or krb5-telnet). It sends a crafted payload to trigger the vulnerability, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Linux BSD-derived telnet service (inetutils or krb5-telnet)
No auth needed
Prerequisites: Network access to the target telnet service · Target running a vulnerable version of inetutils or krb5-telnet
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocbsd
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb

This Metasploit module exploits a buffer overflow in the FreeBSD telnet service's encryption option handler (CVE-2011-4862). It sends a crafted payload to trigger the vulnerability, leading to remote code execution with elevated privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD telnet service (versions 5.3, 5.5, 6.0-6.4, 7.0-7.4, 8.0-8.2)
No auth needed
Prerequisites: Network access to the target's telnet service · Telnet service with encryption enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (42)

Core 42
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00010.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47399
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2375
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1854.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00004.html
Broken Link mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2011-12/0172.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2372
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47359
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47374
Mitigation, Vendor Advisory vendor-advisory x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00005.html
Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071627.html
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:195
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00007.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00011.html
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/78020
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026463
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47341
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1852.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1853.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00014.html
Patch, Vendor Advisory x_refsource_confirm
http://security.freebsd.org/patches/SA-11:08/telnetd.patch
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47357
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46239
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47397
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47373
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00015.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47441
Patch, Vendor Advisory x_refsource_confirm
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1851.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18280/
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47348
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026460
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2373
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71970

Scores

EPSS 0.9238
EPSS Percentile 99.7%

Details

VulnCheck KEV 2011-12-23
InTheWild.io 2021-02-09
CWE
CWE-120
Status published
Products (18)
debian/debian_linux 5.0
debian/debian_linux 6.0
debian/debian_linux 7.0
fedoraproject/fedora 15
fedoraproject/fedora 16
freebsd/freebsd 7.3 - 9.0
gnu/inetutils < 1.9
heimdal_project/heimdal < 1.5.1
mit/krb5-appl < 1.0.2
opensuse/opensuse 11.3
... and 8 more
Published Dec 25, 2011
Tracked Since Feb 18, 2026