Executive Summary

A critical vulnerability, CVE-2026-24061, has been identified in the GNU InetUtils telnetd server, exposing a vast and often-overlooked attack surface across the global internet. This authentication bypass flaw enables unauthenticated remote attackers to gain root-level access to affected systems by manipulating the USER environment variable. The vulnerability impacts a wide range of legacy Linux distributions, routers, and IoT devices, many of which are still running outdated and unmaintained software. Over 800,000 devices are currently exposed, with exploitation attempts observed within hours of public disclosure. Attackers are leveraging this flaw for automated reconnaissance, SSH key persistence, and attempted malware deployment, underscoring the urgent need for immediate remediation. This report provides a comprehensive technical analysis, exploitation details, and actionable mitigation guidance for Rescana customers.

Technical Information

The CVE-2026-24061 vulnerability resides in the telnetd component of GNU InetUtils, specifically affecting versions 1.9.3 (released in 2015) through 2.7. The flaw is classified as a critical authentication bypass, with a CVSS v3.1 base score of 9.8, reflecting its ease of exploitation and the potential for complete system compromise. The vulnerability is rooted in improper neutralization of argument delimiters in a command, as described by CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection').

When a remote attacker connects to a vulnerable telnetd instance, they can inject the -f root argument into the USER environment variable during the Telnet option negotiation phase. This is achieved by leveraging the IAC SB (Interpret As Command, Subnegotiation Begin) sequence to set environment variables, a feature of the Telnet protocol. By specifying USER=-f root, the attacker instructs telnetd to bypass standard authentication and spawn a root shell directly, without requiring valid credentials.

The technical sequence of exploitation is as follows: the attacker initiates a Telnet session to TCP port 23, negotiates environment variables using the ENVIRON option, and injects the malicious USER value. Upon processing this input, telnetd fails to properly sanitize the argument, resulting in the execution of the login process with the -f root flag. This flag is intended for trusted subsystems and should never be user-controllable; its misuse grants immediate root access.

The patched version, GNU InetUtils 2.8, released on 2026-01-20, addresses this flaw by enforcing strict validation of environment variables and disallowing unauthorized use of the -f flag.

The impact of this vulnerability is severe. Successful exploitation provides attackers with full root privileges, enabling them to execute arbitrary commands, install persistent backdoors, exfiltrate sensitive data, and pivot laterally within the network. The attack requires no prior authentication, no user interaction, and can be executed remotely over the internet.

Exploitation in the Wild

Within 24 hours of the public disclosure and patch release, threat intelligence sources, including GreyNoise Labs, observed widespread scanning and exploitation of vulnerable telnetd endpoints. At least 18 unique attacker IP addresses conducted over 60 exploitation attempts in the first 18 hours, with a success rate exceeding 80%. All observed Telnet traffic targeting this flaw was malicious, utilizing the authentication bypass technique.

Post-exploitation activities included system reconnaissance commands such as uname -a, id, cat /proc/cpuinfo, and cat /etc/passwd, indicating attackers were gathering information about compromised hosts. In several cases, attackers attempted to establish persistent access by injecting SSH public keys into the authorized_keys file of the root user. Additionally, there were attempts to download and execute Python-based malware payloads from remote servers, typically using curl or wget piped directly to the Python interpreter. While many of these attempts failed due to the absence of Python or required utilities on legacy devices, the attack methodology demonstrates a clear intent to automate post-compromise actions.

The global scope of exposure is significant, with approximately 800,000 Telnet servers accessible from the internet. The highest concentrations of vulnerable devices are found in Asia (380,000), South America (170,000), and Europe (100,000), according to data from Shadowserver and TechRadar. The exploitation campaign appears to be both opportunistic and targeted, with some attackers focusing on specific high-value devices for persistent access.

Network indicators of compromise include unusual inbound connections to TCP port 23, repeated authentication attempts with the -f root argument visible in session logs, and outbound connections or downloads of Python scripts following successful exploitation. The CISA Known Exploited Vulnerabilities (KEV) Catalog has added CVE-2026-24061, highlighting the urgency of remediation.

APT Groups using this vulnerability

As of this report, there is no public attribution of CVE-2026-24061 exploitation to specific Advanced Persistent Threat (APT) groups. The observed activity is characterized by a mix of opportunistic mass scanning and more targeted, persistent exploitation attempts. The use of virtual private servers (VPS) for both exploitation and malware hosting, as well as the injection of SSH keys for long-term access, is consistent with tactics employed by both low-tier cybercriminals and initial access brokers. While no nation-state or highly sophisticated APT group has been definitively linked to this campaign, the rapid weaponization and global reach suggest that a broad spectrum of threat actors is actively leveraging this vulnerability.

Affected Product Versions

The vulnerability affects GNU InetUtils telnetd versions 1.9.3 through 2.7. This includes a wide array of legacy Linux distributions, embedded systems, routers, and IoT devices that have not been updated in several years. The patched version, 2.8, released on 2026-01-20, is not vulnerable. Organizations should be aware that many affected devices may be running end-of-life software or custom firmware, complicating remediation efforts.

Workaround and Mitigation

Immediate action is required to mitigate the risk posed by CVE-2026-24061. The most effective remediation is to upgrade GNU InetUtils to version 2.8 or later, which contains the necessary security fixes. If patching is not feasible, organizations should disable the telnetd service entirely, as Telnet is an inherently insecure protocol and should not be exposed to the internet under any circumstances. Blocking TCP port 23 at all network boundaries will prevent external exploitation attempts.

In addition to patching or disabling Telnet, organizations should conduct a comprehensive audit of their network to identify and eliminate unnecessary Telnet services, particularly on legacy or IoT devices. Monitoring for indicators of compromise is essential; review authentication logs for unauthorized root logins, inspect session logs for the presence of the -f root argument, and monitor for unexpected Python process execution or outbound connections to known malware distribution servers.

For devices that cannot be patched or decommissioned, consider network segmentation and strict access controls to limit exposure. Implement intrusion detection and prevention systems capable of identifying Telnet-based attacks and anomalous authentication patterns.

References

NVD CVE-2026-24061, GreyNoise Grimoire Exploit Report, Debian LTS Advisory, Openwall OSS-Security Mailing List, TechRadar News, CISA KEV Catalog

Rescana is here for you

At Rescana, we understand the critical importance of proactive risk management in today’s rapidly evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital ecosystem. We are committed to providing actionable intelligence and expert guidance to help you safeguard your assets and maintain operational resilience. If you have any questions or require further assistance, our team is ready to support you at ops@rescana.com.