A critical remote authentication bypass vulnerability (CVE-2026-24061, CVSS 9.8) has been discovered in the GNU InetUtils telnetd service, affecting all versions from 1.9.3 through 2.7. The flaw allows unauthenticated attackers to instantly obtain root access on affected systems by leveraging improper handling of the USER environment variable. The issue remained undetected for nearly 11 years and is now being actively probed by malicious actors.
Impact -
Severity: Critical (CVSS 9.8)
Successful exploitation results in:
- Full root-level compromise
- Remote, unauthenticated access
- No user interaction required
- Complete loss of confidentiality, integrity, and availability
Systems running telnetd and exposed to untrusted networks are at immediate high risk. Telnet’s inherent insecurity compounds the severity.
Technical Details -
Vulnerability Mechanism:
- The telnetd server passes the client-supplied USER environment variable directly to /usr/bin/login without sanitization.
- An attacker can set USER='-f root' and use the Telnet -a or --login option to forward this value to the server.
- The login program interprets -f root as a trusted login bypass, granting immediate root shell access with no authentication.
Root Cause:
- Introduced in a code commit on March 19, 2015 and shipped in GNU InetUtils 1.9.3 (May 12, 2015).
- The vulnerability originates from improper argument sanitization and variable expansion in the telnetd code path (telnetd/telnetd.c and related utility functions).
Affected Versions:
- GNU InetUtils telnetd versions 1.9.3 through 2.7.
- Present in many Linux/UNIX distributions or appliances that ship Telnet for legacy use.
Threat Activity and Exploitation:
- Threat intelligence reporting indicates 21 unique malicious IP addresses actively attempting to exploit the flaw within a 24hour window.
- These originate from multiple regions including Hong Kong, U.S., Japan, Netherlands, China, Germany, Singapore, and Thailand.
- Demonstrates early-stage scanning and opportunistic exploitation attempts across the internet.
- Public exploit code (PoCs) is already available on GitHub, increasing the likelihood of mass exploitation.
Indicators of Compromise (IoCs) -
Observed Attacker Activity:
- Malicious Telnet connections with USER='-f root'.
- Telnet sessions using the -a or --login flag to forward environment variables.
- Unexpected root logins without PAM or audit trail authentication events.
Network Indicators:
- Suspicious inbound Telnet traffic (TCP/23) from:
- Hong Kong, U.S., Japan, Netherlands, China, Germany, Singapore, Thailand.
Mitigation and Recommendations –
Disable telnetd
- Strongly recommended wherever possible.
- Replace with SSH or another secure remote access method.
Restrict Telnet Access
- Limit access to trusted IP addresses only.
- Apply firewall or network segmentation rules.
Patch / Update
- Apply available GNU InetUtils patches or upgrade to versions beyond 2.7 once fully published by distributions.
Temporary Workarounds
- Use a custom /usr/bin/login that rejects the -f parameter.
- Mitigate argument injection vulnerabilities by sanitizing inputs in derived scripts/services.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.