A vital authentication bypass vulnerability within the telnetd part of GNU Inetutils has uncovered roughly 800,000 internet-accessible Telnet cases to unauthenticated distant code execution (RCE).
Tracked as CVE-2026-24061 with a CVSS rating of 9.8, the flaw permits attackers to realize root-level entry with out legitimate credentials, posing a extreme danger to uncovered infrastructure worldwide.
Vulnerability Particulars
The vulnerability stems from an argument injection flaw in telnetd variations 1.9.3 by 2.7.
The telnetd server fails to sanitize the USER setting variable earlier than passing it to/usr/bin/login, permitting attackers to inject the string “-f root” and bypass authentication totally.
When an attacker connects utilizing telnet -a or –login with USER set to “-f root”, the login course of interprets the “-f” flag as a force-login parameter, routinely granting root entry with out performing authentication checks.
The vulnerability was launched in a March 2015 supply code commit that remained undetected for practically 11 years throughout main Linux distributions, together with Debian, Ubuntu, Kali Linux, and Trisquel.
Proof-of-concept exploits have been publicly launched and are actively being leveraged within the wild.
GreyNoise detected real-world exploitation inside 18 hours of public disclosure, capturing 1,525 packets throughout 60 Telnet classes from 18 distinctive attacker IPs between January 21-22, 2026.
Nearly all of assaults (83.3%) focused root consumer entry, with post-exploitation actions together with SSH key persistence, system reconnaissance, and makes an attempt to deploy malware.
Organizations ought to instantly improve to GNU InetUtils model 2.8 or later.
Relating to CVE-2026-24061 in GNU InetUtils telnetd: whereas we aren’t scanning for it explicitly (on account of present lack of means to examine in a secure manner, we share – and have for years – knowledge on uncovered cases in our Accessible Telnet Report: uncovered pic.twitter.com/cPLGvOtnZK— The Shadowserver Basis (@Shadowserver) January 26, 2026
For programs unable to improve, vital mitigations embrace: turning off the telnetd service totally, blocking TCP port 23 at community perimeter firewalls, and proscribing Telnet entry to trusted purchasers solely.
The Shadowserver Basis’s Accessible Telnet Report may help organizations determine uncovered cases on their networks.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
