Executive Summary

A critical vulnerability has been identified in GNU InetUtils telnetd (CVE-2026-24061, CVSS 9.8), which enables remote attackers to bypass authentication and obtain root access by exploiting improper handling of the USER environment variable. This flaw impacts all versions of GNU InetUtils telnetd from 1.9.3 up to and including 2.7. The vulnerability is being actively exploited in the wild, with threat activity observed from multiple global regions. Immediate action is required to mitigate the risk of unauthorized root access and potential system compromise.

Technical Information

The vulnerability, tracked as CVE-2026-24061, resides in the telnetd daemon of GNU InetUtils. The flaw is classified as an argument injection vulnerability (CWE-88) and is rated as critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The root cause is the unsanitized propagation of the USER environment variable from the telnet client to the /usr/bin/login process. Specifically, telnetd passes the USER variable directly as the final argument to the login utility. If an attacker supplies a value such as -f root for USER, the login process interprets this as a directive to "force login as user without authentication," thereby granting immediate root shell access.

This vulnerability was introduced in a code commit dated March 19, 2015, and first appeared in version 1.9.3 of GNU InetUtils. The affected code path allows any remote user to connect to a vulnerable telnetd service and, by manipulating the USER variable, bypass all authentication mechanisms. The attack does not require prior knowledge of credentials or any form of user interaction.

A typical exploitation scenario involves an attacker initiating a telnet session to a vulnerable host and specifying the USER variable as -f root. The telnetd daemon, upon receiving this value, invokes /usr/bin/login -f root, which, due to the semantics of the -f flag, results in an unauthenticated root shell. This is a textbook example of argument injection, where user-supplied input is unsafely incorporated into a privileged process invocation.

The vulnerability is particularly severe because telnetd often runs with elevated privileges and is accessible over the network. Attackers can leverage automated scanning tools to identify exposed telnetd services and launch mass exploitation campaigns. The attack vector is network-based, requires no authentication, and can be executed with minimal technical sophistication.

Exploitation in the Wild

There is clear evidence of active exploitation of CVE-2026-24061. According to open-source threat intelligence, including reports from The Hacker News and telemetry from GreyNoise, at least 21 unique IP addresses have been observed attempting to exploit this vulnerability within a 24-hour window. These IPs originate from diverse geographies, including Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand.

The observed attack pattern involves remote adversaries scanning for internet-facing telnetd services. Upon identifying a target, the attacker sends a crafted USER environment variable (-f root) to the telnetd service. If the target is running a vulnerable version, the attacker is granted immediate root access without any authentication challenge. This method is highly effective and can be automated for large-scale exploitation.

Network defenders have reported anomalous telnet connections where the USER variable is set to -f root, as well as sudden root logins via telnet from external IP addresses. These are strong indicators of compromise and should be investigated immediately.

APT Groups using this vulnerability

As of the latest open-source reporting, there is no confirmed attribution of CVE-2026-24061 exploitation to specific Advanced Persistent Threat (APT) groups. The exploitation activity observed thus far appears to be opportunistic, with a broad geographic distribution of malicious IPs. However, the critical nature of the vulnerability and the ease of exploitation make it highly attractive to both state-sponsored and financially motivated threat actors. The lack of authentication and the potential for immediate root access mean that APT groups are likely to incorporate this exploit into their toolkits if they have not already done so. Organizations should remain vigilant for signs of targeted exploitation, especially in sectors with high-value assets or sensitive data.

Affected Product Versions

The following versions of GNU InetUtils telnetd are confirmed to be affected: 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7. Any operating system or distribution shipping these versions of GNU InetUtils telnetd is vulnerable. This includes, but is not limited to, Debian, Ubuntu, Kali Linux, Trisquel, and other Linux distributions that package GNU InetUtils. Administrators should verify the version of telnetd in use and assume vulnerability if running any release from 1.9.3 through 2.7 inclusive.

Workaround and Mitigation

Immediate mitigation steps are essential to prevent exploitation. The most effective remediation is to upgrade to a patched version of GNU InetUtils as soon as it becomes available. In the interim, organizations should disable the telnetd service entirely if it is not strictly required for business operations. Where disabling is not feasible, network access to the telnet port (default 23/tcp) should be restricted to trusted IP addresses using firewall rules or access control lists.

As an additional safeguard, administrators can replace /usr/bin/login with a hardened version that does not accept the -f parameter from untrusted sources. Continuous monitoring for telnet connections with suspicious USER environment variables and auditing of root logins via telnet are recommended to detect potential exploitation attempts.

Given the trivial nature of the exploit and the high impact of successful compromise, organizations should treat this vulnerability as an emergency and prioritize remediation efforts accordingly.

References

For further technical details and ongoing updates, consult the following authoritative sources:

NVD CVE-2026-24061, The Hacker News: Critical GNU InetUtils telnetd Flaw, oss-security mailing list discussion, Debian LTS Advisory, GNU InetUtils Project.

Rescana is here for you

Rescana is committed to helping organizations manage and mitigate third-party cyber risk. Our advanced TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. While this advisory focuses on the GNU InetUtils telnetd vulnerability, our platform is designed to help you identify, assess, and remediate a wide range of cybersecurity risks across your entire supply chain. For any questions or further assistance, please contact us at ops@rescana.com.