The critical vulnerability CVE-2026-24061 in the GNU InetUtils telnetd server component is already being exploited in real-world attacks. Rated 9.8 on the CVSS scale, the flaw enables remote, unauthenticated compromise and is particularly dangerous because Telnet remains widely exposed on legacy Linux and IoT systems. Shadowserver telemetry shows almost 800,000 IP addresses with open Telnet on the public internet, creating ideal conditions for large-scale compromise.
Overview of CVE-2026-24061 in GNU InetUtils telnetd
GNU InetUtils is a long-standing suite of core network utilities for Unix-like systems, including telnet/telnetd, ftp/ftpd, rsh/rshd, ping, traceroute and others. It ships with many Linux distributions and is frequently embedded into routers, cameras, industrial controllers, and other IoT devices that may run the same firmware for years without updates.
CVE-2026-24061 affects GNU InetUtils versions from 1.9.3 (released in 2015) through 2.7. The issue was only fixed in version 2.8 on 20 January 2026, meaning the vulnerability remained unnoticed and unpatched in production code for almost 11 years. A CVSS score of 9.8 signals a near-maximum risk of remote code execution and full system takeover without user interaction, as reflected in common vulnerability databases such as NVD.
How the Telnetd Login Bypass Works: Root Access Without a Password
The core problem lies in how telnetd launches the system login program. When a Telnet session is established, telnetd invokes /usr/bin/login (typically running with root privileges) and passes the USER environment variable, supplied by the remote client, as the final command-line argument.
If the Telnet client sends a specially crafted USER value such as -f root, and the client is started with -a or --login, the login binary interprets the -f flag as “trusted authentication”. In other words, login assumes the user has already been authenticated elsewhere and skips password verification entirely, granting the attacker direct root shell access.
The fundamental bug is that telnetd does not sanitize or validate the USER environment variable before handing it to login. This pattern—passing untrusted input as arguments to privileged binaries—has caused severe remote code execution vulnerabilities in other services in the past. In this case, however, the flaw remained under the radar for an unusually long period in a widely deployed component.
Exposure of Internet-Facing Telnet and IoT Systems
According to the Shadowserver Foundation, internet-wide scanning reveals nearly 800,000 Telnet services with recognizable Telnet fingerprints. More than 380,000 of these are in Asia, almost 170,000 in South America, and around 100,000 in Europe. The exact share running vulnerable GNU InetUtils telnetd is unknown, but the attack surface is clearly significant.
Security analysts emphasize that the mere presence of internet-exposed Telnet is a serious security misconfiguration. Telnet transmits all data, including usernames and passwords, in cleartext without encryption. Despite this, it remains common on IoT devices, SOHO routers, video surveillance systems, and industrial equipment, where firmware updates are infrequent or non-existent. In such environments, CVE-2026-24061 can be weaponized to build large botnets or gain persistent footholds inside corporate networks.
Evidence of Active Exploitation from GreyNoise Telemetry
Within days of public disclosure, threat-intelligence company GreyNoise recorded live exploitation attempts of CVE-2026-24061. Malicious traffic was first observed on 21 January, the day after the patch release.
GreyNoise reported activity from 18 IP addresses across at least 60 Telnet sessions. Attackers abused Telnet IAC (Interpret As Command) option negotiation to inject payloads of the form USER=-f <user>, achieving shell access without any authentication. Within 24 hours, attempts originated from 21 unique IPs located in Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand.
Most traffic appeared automated, consistent with scanning and mass exploitation tools. However, in several cases analysts observed clear signs of manual post-exploitation: interactive commands, system reconnaissance, and efforts to deploy Python-based malware. Early infection attempts often failed due to missing Python or expected directories, but historical experience with Telnet-driven botnets such as Mirai suggests that attackers rapidly adapt their tooling once a reliable exploit path exists.
Immediate Mitigation Steps for CVE-2026-24061
Short-term containment for affected Linux and IoT systems
Administrators responsible for systems using GNU InetUtils should treat this as a priority-1 incident and:
- Upgrade to GNU InetUtils 2.8 or later, where CVE-2026-24061 is patched.
- If upgrading is not immediately possible, disable the telnetd service wherever it is not strictly required.
- Block TCP port 23 (Telnet) on perimeter and internal firewalls unless there is a compelling, documented business need.
- As an interim workaround, configure telnetd to use an alternative login implementation that does not support the
-fflag.
It is also advisable to enable or tune network and log monitoring to flag Telnet connections with unusual option negotiation or unexpected environment variables, enabling early detection of exploitation attempts.
Long-term hardening and migration away from Telnet
The CVE-2026-24061 incident illustrates the systemic risk of technical debt and legacy protocols. To improve resilience over the long term, organizations should:
- Phase out Telnet in favor of SSH or other encrypted management protocols wherever possible.
- Implement regular firmware and software update processes for servers and IoT devices, including inventories and alerts for unsupported versions.
- Conduct periodic port and service exposure audits using internal scanners or external attack-surface monitoring.
- Apply network segmentation and least-privilege access to isolate devices that cannot be promptly upgraded or replaced.
The combination of long-lived legacy code, an obsolete plaintext protocol, and slow update cycles makes CVE-2026-24061 a clear warning for modern infrastructure. Organizations and individual users should urgently assess their environments for exposed Telnet services, apply available patches or disable vulnerable components, and adopt structured vulnerability and update management. These measures not only reduce the likelihood of compromise via this specific flaw but also strengthen defenses against future vulnerabilities in foundational network services.
