Energetic exploitation of a important authentication bypass vulnerability within the GNU InetUtils telnetd server (CVE-2026-24061) has been noticed within the wild, permitting unauthenticated attackers to achieve root entry to Linux methods.
The vulnerability, which impacts GNU InetUtils variations 1.9.3 by way of 2.7, allows distant code execution by manipulating the USER surroundings variable handed in the course of the Telnet negotiation part.
Gray Noise has detected a coordinated exploitation marketing campaign concentrating on Telnet companies (TCP/23) utilizing the telnetd -f authentication bypass flaw.
The assault leverages a command injection vulnerability the place the Telnet daemon passes an unsanitized USER surroundings variable to the /usr/bin/login binary. By supplying the worth -f root, attackers pressure the login program to deal with the session as pre-authenticated, bypassing all credential checks and granting a direct root shell.
Latest evaluation of honeypot site visitors has captured 60 distinctive exploitation makes an attempt from 18 distinct supply IP addresses. These assaults vary from opportunistic scanning to focused persistence mechanisms, together with SSH key injection and malware deployment.
telnetd Vulnerability CVE-2026-24061
The vulnerability resides in the best way telnetd invokes the login program. Sometimes, telnetd executes /usr/bin/login (working as root) and passes the client-supplied USER variable as the ultimate argument.
The exploitation circulation proceeds as follows:
Negotiation: The attacker initiates a Telnet connection and sends a malicious ENVIRON variable.
Injection: The USER variable is ready to -f root.
Execution: telnetd executes login -p -h -f root.
Bypass: The -f flag instructs login to skip authentication for the desired person (root), granting a shell.
Evaluation of captured assault site visitors reveals distinct patterns in attacker conduct. Essentially the most prolific supply, 178.16.53[.]82, accounted for 12 classes concentrating on 10 distinctive methods, using a constant payload configuration (9600 baud, XTERM-256COLOR).
Attackers are using various payload configurations to evade easy signature detection:
Terminal Velocity: 38400 baud and 9600 baud are widespread, although some assaults negotiate 0,0 (no pace).
Terminal Sort: Payloads fluctuate between normal XTERM-256COLOR, compatibility mode xterm-256color, and generic UNKNOWN varieties.
Goal Customers: Whereas root is the first goal (83% of makes an attempt), probes for no person, daemon, and randomized customers like nonexistent123 have been noticed.
Upon gaining entry, attackers instantly execute reconnaissance instructions (uname -a, id, cat /and so on/passwd) usually wrapped in delimiters (e.g., S…EU…blah) for automated parsing by C2 infrastructure.
Extra superior actors try to determine persistence. One marketing campaign from 216.106.186[.]24 tried to append a 3072-bit RSA key to ~/.ssh/authorized_keys. This similar actor additionally tried to fetch a second-stage Python payload (apps[.]py) from a distribution server, indicating a possible botnet recruitment drive.
CVE IDSeverityCVSS ScoreAffected VersionsCVE-2026-24061Critical9.8 (Vital)GNU InetUtils 1.9.3 – 2.7
Indicators of Compromise (IOCs)
Indicator TypeValueContextAttacker IP178.16.53[.]82Top supply (12 classes), ReconnaissanceAttacker IP216.106.186[.]24SSH Key Injection, Malware DownloadAttacker IP67.220.95[.]16Malware Distribution, ExploitationAttacker IP156.238.237[.]103Confirmed Root Entry (IDS Alert)Malware URLhttp://67.220.95[.]16:8000/apps.pyPython Payload DeliveryFile Nameapps[.]pySecond-stage payloadSSH Key [email protected][.]hostingAssociated with persistence makes an attempt
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
