CVE-2005-1205
Description
The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*+ 3 more
- cpe:2.3:o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"The Telnet client responds to the NEW-ENVIRON option with a SEND ENV_USERVAR command, disclosing environment variables that should be restricted."
Attack vector
An attacker hosts a malicious Telnet server or crafts a Telnet URL that causes the victim's Telnet client to connect to it. Once connected, the attacker sends a NEW-ENVIRON SEND ENV_USERVAR command, and the vulnerable Telnet client responds by transmitting the user's session environment variables [ref_id=1]. The attacker can deliver the malicious Telnet URL via a web page (persuading the user to click a link) or via an email message containing the crafted URL [ref_id=1]. User interaction (clicking the link or connecting to the malicious server) is required in every case [ref_id=1].
Affected code
The advisory does not specify individual function names or file paths. The vulnerability exists in the Telnet client component of Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX (all versions) [ref_id=1].
What the fix does
The update restricts which session variables the Telnet client will disclose to a Telnet server. It limits responses to only the "well known" variables defined in Internet RFC 1572, plus the SFUTLNTVER and SFUTLNTMODE variables needed by Windows Services for UNIX Telnet servers; all other session variables are blocked [ref_id=1]. A new registry key was also added to let administrators specify additional environment variables that the Telnet client may disclose [ref_id=1].
Preconditions
- networkThe victim's Telnet client must connect to a malicious Telnet server controlled by the attacker.
- inputThe attacker sends a NEW-ENVIRON option with a SEND ENV_USERVAR command to the victim's Telnet client.
- authNo authentication is required; any anonymous user who can deliver a specially crafted message can attempt exploitation.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- idefense.com/application/poi/displaynvdPatchVendor Advisory
- secunia.com/advisories/15690/nvdPatchVendor Advisory
- www.kb.cert.org/vuls/id/800829nvdPatchThird Party AdvisoryUS Government Resource
- securitytracker.com/idnvd
- www.securityfocus.com/bid/13940nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-033nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1132nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A605nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A784nvd
News mentions
0No linked articles in our index yet.