Critical authentication bypass vulnerability in GNU InetUtils telnetd allows remote attackers to gain root access without credentials via malformed USER environment variable. Over 800,000 telnet servers are exposed on the internet with active exploitation observed in the wild.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-21
Added to CISA KEV: 2026-01-26 5 DAYS BETWEEN CVE AND KEV
On Thursday, days after CVE-2026-24061 was disclosed, cybersecurity company GreyNoise reported that it had already detected exploits for CVE-2026-24061 being used in limited attacks. The malicious activity started on January 21 (one day after the vulnerability was patched) and originated from 18 IP addresses across 60 Telnet sessions, abusing the Telnet IAC option negotiation to inject 'USER=-f
Security Impact and Attack Methodology. CVE-2026-24061 enables unauthenticated remote code execution on vulnerable telnetd instances.Organizations hosting exposed telnetd services face immediate risks from both opportunistic attacks and targeted campaigns by advanced threat groups seeking infrastructure compromise. Organizations can identify exposed telnetd instances through the Shadowserver Foundationโs comprehensive Accessible Telnet Report, which provides ongoing visibility into publicly accessible telnet services.
The security issue is tracked as CVE-2026-24061 and was reported on January 20. It is trivial to leverage and multiple exploit examples are publicly available. Bug persisted since 2015.The attacks varied in terminal speed, type, and X11 DISPLAY values, but in 83.3% of the cases, they targeted the โrootโ user. In the post-exploitation phase, the attackers conducted automated reconnaissance and attempted to persist SSH keys and deploy Python malware.
Attack Vector. Attacker connects to the telnetd service (typically port 23). During telnet option negotiation, the server requests NEW_ENVIRON data.Proof of Concept: CVE-2026-24061 is a critical authentication bypass vulnerability in GNU inetutils-telnetd allowing unauthenticated remote attackers to gain instant root shell access via malicious NEW_ENVIRON telnet option exploitation.
inetutils-telnetd Authentication Bypass - working. Contribute to balgan/CVE-2026-24061 development by creating an account on GitHub.Overview. CVE-2026-24061 is a critical authentication bypass vulnerability affecting inetutils-telnetd versions 1.9.3 through 2.7. It allows a remote attacker to obtain a root shell on vulnerable systems without providing any credentials.