CVE-2026-24061

GNU InetUtils telnetd Authentication Bypass Vulnerability

CVE-2026-24061 is a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows a remote, unauthenticated attacker to obtain root-level access by abusing how the Telnet daemon invokes the system login process. The vulnerability is trivially exploitable wherever telnetd is reachable over the network and carries a CVSS v3.1 score of 9.8 (Critical).

Because no authentication, user interaction, or special conditions are required, any exposed telnetd service should be treated as immediately at risk.

Active exploitation observed

GreyNoise reports IP addresses have been observed attempting to exploit CVE-2026-24061, an authentication bypass vulnerability in GNU InetUtils telnetd through version 2.7. Observed activity includes attempts to abuse the flaw by supplying a crafted “-f root” value for the USER environment variable to bypass authentication and obtain root access.

This confirms the vulnerability is being actively targeted and should be treated as an immediate risk wherever telnetd is exposed.

Stop Guessing, Start Proving

What it is and why it matters

GNU InetUtils telnetd is a Telnet server daemon responsible for accepting incoming Telnet connections, negotiating protocol options, and invoking the local login program to authenticate users. While Telnet is an aging protocol, telnetd remains present in many environments, including embedded Linux systems, network appliances, industrial and OT devices, and legacy vendor images where backward compatibility or operational convenience outweighs security hardening.

CVE-2026-24061 exists because telnetd fails to sanitize the USER environment variable before expanding it into the command line used to invoke login. A malicious Telnet client can supply a crafted value such as -f root, causing telnetd to execute: login -f root. The -f flag instructs login to bypass authentication entirely, resulting in an unauthenticated root shell.

This is a single-step, remote compromise that grants full administrative control of the host. An attacker can establish persistence, extract credentials, pivot into adjacent networks, or disrupt operations. The risk is amplified when telnetd is present on management networks, OT environments, or fleet-deployed devices that are difficult to rebuild or patch quickly..

Quick actions — do these now

• Patch immediately by applying the upstream GNU InetUtils fixes released January 20, 2026, or upgrading to a release that incorporates those patches.
• Disable telnetd entirely wherever possible. If Telnet cannot be removed immediately, restrict access to trusted IPs and apply compensating controls.

NodeZero® Offensive Security Platform — Rapid Response

The GNU InetUtils telnetd Rapid Response test (CVE-2026-24061), released January 23, 2026, enables customers to safely verify whether telnetd instances are exploitable to the authentication bypass flaw and therefore susceptible to unauthenticated root compromise, and to confirm remediation.

• Run the Rapid Response test — run the GNU InetUtils telnetd — CVE-2026-24061 Rapid Response test from the customer portal to scan internet-facing and internal hosts for exploitable telnetd services vulnerable to the crafted USER environment variable attack.
• Patch or mitigate immediately — apply the upstream GNU InetUtils fixes released January 20, 2026, or upgrade to a fixed InetUtils release. If patching is not immediately possible, disable telnetd entirely or restrict access to trusted IP ranges and block unsafe login -f invocation as a temporary mitigation.
• Harden affected environments — review systems for exposed TCP/23 services, remove Telnet from device images where possible, and enforce compensating controls in management and OT networks where telnetd cannot be rapidly removed.
• Re-run the Rapid Response test — after patching or mitigation, re-run the GNU InetUtils telnetd Rapid Response test to confirm the authentication bypass is no longer exploitable.

If the Rapid Response test confirms exploitability, collect forensic artifacts (Telnet session logs, process execution showing login -f usage, root shells spawned without authentication, and any post-compromise activity), isolate affected systems, and open an incident with your IR team.

Indicators of compromise (for hunting)

Exploitation of CVE-2026-24061 may leave limited forensic artifacts. Defenders should review affected systems for:

• Telnet sessions resulting in root shells without corresponding authentication events
• login processes invoked with the -f flag
• Unexpected changes to startup scripts, cron jobs, or privileged user accounts
• Lateral movement or pivoting activity originating from Telnet-enabled hosts

Because this attack abuses normal process execution paths, absence of alerts should not be treated as confirmation that systems are uncompromised.

Affected versions and patch

Affected versions
GNU InetUtils versions 1.9.3 through 2.7

Patch guidance
Apply the upstream patches released on January 20, 2026, which sanitize environment variable expansion before invoking login, or upgrade to a fixed InetUtils release that includes these changes.

If immediate patching is not feasible, disable telnetd or enforce strict access controls and compensating mitigations until remediation is complete.

Timeline (key)

• January 20, 2026 — Vulnerability publicly disclosed via OSS-Security
• January 20, 2026 — GNU InetUtils patches released
• January 21, 2026 — CVE-2026-24061 published with Critical severity

References

• OSS-Security Advisory — GNU InetUtils telnetd Authentication Bypass
• NIST NVD — CVE-2026-24061
• GreyNoise — GNU InetUtils telnetd Authentication Bypass (CVE-2026-24061) Threat Activity