🔴 CVE-2026-24061

Critical authentication bypass vulnerability in GNU InetUtils telnetd allows remote attackers to gain root access without credentials via malformed USER environment variable. Over 800,000 telnet servers are exposed on the internet with active exploitation observed in the wild.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
MEDIUM
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-21

Added to CISA KEV: 2026-01-26 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-01-26)

CVE-2026-24061 is a critical authentication bypass vulnerability affecting GNU inetutils-telnetd versions 1.9.3 through 2.7. It allows remote attackers to gain root shell access without providing credentials by exploiting a flaw in how the `USER` environment variable is handled during Telnet option negotiation.

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability affects the telnet daemon (telnetd) component of GNU InetUtils. While telnet is considered a legacy protocol and devices exposed on the public internet with telnet active are becoming scarce, there are still approximately 800,000 instances exposed on the public internet that are vulnerable [1][2]. These exposed instances represent direct attack vectors.
  • Evidence of Active Exploitation: Yes, CVE-2026-24061 is under active exploitation in the wild [9][10]. Exploits have been observed since January 22, 2026, with malicious activity detected originating from multiple IP addresses across numerous Telnet sessions [1].
  • Attack Vectors and Exploitation Methods: The primary attack vector involves exploiting an authentication bypass flaw in the `telnetd` server. Attackers can send a malformed `USER` environment variable, specifically using a `"-f root"` value, during the Telnet option negotiation (NEW\_ENVIRON telnet option). This allows them to bypass authentication and gain immediate root shell access on vulnerable systems [4][5]. The exploit is described as easy to leverage and has low attack complexity [3][11].
  • Use in Targeted Attacks: While opportunistic attacks are occurring, the vulnerability can also be used in targeted campaigns by advanced threat groups seeking infrastructure compromise [2]. In observed attacks, the attackers often target the 'root' user and, in the post-exploitation phase, conduct reconnaissance and attempt to persist by deploying malware or SSH keys [3].
  • CISA Known Exploited Vulnerabilities (KEV) Status: As of the available information, CVE-2026-24061 has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog [7][12]. The KEV catalog lists vulnerabilities that have been actively exploited in the wild and require immediate attention from federal agencies.
  • Technical Details about Internet Exploitability: The vulnerability lies in the `telnetd` server's handling of the `USER` environment variable. When a client connects, the server requests `NEW_ENVIRON` data. By manipulating this data with a specific argument injection, an attacker can trick the `/usr/bin/login` executable (which typically runs as root) into authenticating as root without any credentials [1][6]. The attack vector is Network with low privileges required and no user interaction needed [8][13].

Sources

  1. Nearly 800,000 Telnet servers exposed to remote attacks

    On Thursday, days after CVE-2026-24061 was disclosed, cybersecurity company GreyNoise reported that it had already detected exploits for CVE-2026-24061 being used in limited attacks. The malicious activity started on January 21 (one day after the vulnerability was patched) and originated from 18 IP…

  2. Over 800K GNU InetUtils telnetd Instances Exposed to RCE Attacks as PoC ...

    Security Impact and Attack Methodology. CVE-2026-24061 enables unauthenticated remote code execution on vulnerable telnetd instances.Organizations hosting exposed telnetd services face immediate risks from both opportunistic attacks and targeted campaigns by advanced threat groups seeking infrastruc…

  3. Hackers exploit critical telnetd auth bypass flaw to get root

    The security issue is tracked as CVE-2026-24061 and was reported on January 20. It is trivial to leverage and multiple exploit examples are publicly available. Bug persisted since 2015.The attacks varied in terminal speed, type, and X11 DISPLAY values, but in 83.3% of the cases, they targeted the ‘r…

  4. GitHub - SystemVll/CVE-2026-24061: Proof of Concept...

    Attack Vector. Attacker connects to the telnetd service (typically port 23). During telnet option negotiation, the server requests NEW_ENVIRON data.Proof of Concept: CVE-2026-24061 is a critical authentication bypass vulnerability in GNU inetutils-telnetd allowing unauthenticated remote attackers to…

  5. GitHub - balgan/CVE-2026-24061: inetutils-telnetd Authentication...

    inetutils-telnetd Authentication Bypass - working. Contribute to balgan/CVE-2026-24061 development by creating an account on GitHub.Overview. CVE-2026-24061 is a critical authentication bypass vulnerability affecting inetutils-telnetd versions 1.9.3 through 2.7. It allows a remote attacker to obtain…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed