Comprehensive Threat Exposure Management Platform
The successful exploitation of CVE-2026-24061 poses an extremely high risk to organizations running vulnerable GNU InetUtils telnetd services. Attackers gaining root-level access without authentication can execute arbitrary commands, install persistent backdoors through SSH key injection, deploy malware, exfiltrate sensitive data, and pivot laterally within networks to compromise additional systems. The trivial nature of exploitation, combined with the availability of public proof-of-concept code, significantly lowers the barrier for attackers of all skill levels. Organizations with exposed Telnet services face immediate risk of complete system compromise, and given the legacy nature of Telnet deployments, affected systems may include critical infrastructure components, embedded systems, network appliances, and OT-adjacent environments where rapid patching may be challenging. This decade-old vulnerability remained dormant in GNU InetUtils telnetd from March 2015 until its discovery in January 2026, affecting all versions from 1.9.3 through 2.7.
A severe remote authentication bypass has been uncovered in the telnetd component of GNU InetUtils, tracked as CVE-2026-24061. The flaw allows any unauthenticated remote attacker to gain instant root access by exploiting a long-standing argument injection bug in how the Telnet daemon handles the USER environment variable.
The issue originates from a commit introduced in March 2015. A code change added ‘%U’ expansion to the command template used to invoke ‘/usr/bin/login’. During Telnet session negotiation, clients are permitted to supply environment variables. Telnetd retrieves the USER value via ‘getenv(“USER”)’ and inserts it directly into the login command line without validation or sanitization.
This oversight enables a clean and devastating exploit. By setting the USER variable to ‘-f root’, an attacker injects the ‘-f’ (force login) flag into the login invocation. The login binary interprets this flag as an instruction to skip authentication entirely and immediately grant a shell for the specified user. The result is a root shell with no password, no credentials, and no interaction.
All GNU InetUtils versions from 1.9.3 through 2.7 are affected. The vulnerability has a remote attack vector, requires no privileges, no user interaction, and carries total impact across confidentiality, integrity, and availability. Beyond authentication bypass, attackers can also set arbitrary environment variables for child processes spawned by telnetd, enabling further compromise through mechanisms such as PATH manipulation.
Exploitation was observed within 18 hours of public disclosure. Telemetry captured 60 exploitation attempts across 18 unique attacker IP addresses, spanning Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand. Approximately 800,000 Telnet servers remain exposed globally, creating a broad and immediate attack surface.
Post-compromise behavior confirms automated abuse. Attackers executed system reconnaissance commands, injected SSH public keys to establish persistence, and attempted to retrieve second-stage Python malware from external infrastructure. Over 83% of observed attacks explicitly targeted root access. The exploit itself fits on a single line and requires no specialized tooling.
This is a textbook argument injection vulnerability. User-supplied input is passed directly to a privileged binary with zero checks. No filtering. No escaping. No safeguards. The bug remained dormant for nearly 11 years in widely deployed code. Telnet is still common in OT/ICS environments, embedded systems, legacy routers, and unmaintained infrastructure, where patching is rare or nonexistent. The lesson is not subtle: a trivial input-handling flaw silently granted universal root access for over a decade.
GNU InetUtils telnetd should upgrade to version 2.8 or later without delay. The GNU InetUtils maintainers have released patches that sanitize all variables before expansion, addressing both the authentication bypass and the broader environment variable injection issues. For systems unable to upgrade to 2.8, apply the specific security commits (fd702c02497b2f398e739e3119bed0b23dd7aa7b and ccba9f748aa8d50a38d7748e2e60362edd6a32cc) from the Codeberg repository.
Telnet is a legacy protocol that transmits data, including credentials in cleartext, and should not be used in modern environments. Organizations should disable telnetd services entirely and migrate to secure alternatives such as SSH for remote administration. This recommendation aligns with long-standing security best practices and eliminates the vulnerability.
If immediate patching or service discontinuation is not feasible, restrict network access to Telnet services at the perimeter firewall level. Block incoming connections to TCP port 23 from untrusted networks and configure firewall rules to allow Telnet access only from explicitly trusted IP addresses or network segments. This reduces the attack surface while permanent remediation is implemented.
Security teams should review logs for signs of exploitation attempts targeting Telnet services, particularly connection attempts with unusual USER environment variable values containing “-f” flags.
Given observed post-exploitation activities involving SSH key injection, administrators should audit ~/.ssh/authorized_keys files on all potentially affected systems for unauthorized entries. Any unfamiliar SSH public keys should be removed immediately, and affected user passwords should be rotated. Consider implementing file integrity monitoring on authorized_keys files to detect future unauthorized modifications.
Conduct a comprehensive asset inventory to identify all systems running Telnet services across the organization, including network devices, embedded systems, and legacy infrastructure. Use the Shadowserver Foundation’s Accessible Telnet Report to identify externally exposed instances. Prioritize remediation based on exposure level and system criticality.
As a temporary workaround for systems that cannot be immediately patched, configure telnetd to use a custom login wrapper that does not support the -f parameter. This prevents the authentication bypass while allowing Telnet services to continue functioning for operational requirements during the remediation window.
Initial Access
Privilege Escalation
Credential Access
Execution
Persistence
Discovery
Command and Control
Attacker IP Addresses:
Get through updates and upcoming events, and more directly in your inbox