Hackers exploit important telnetd auth bypass flaw to get root

A coordinated marketing campaign has been noticed concentrating on a lately disclosed critical-severity vulnerability that has been current within the GNU InetUtils telnetd server for 11 years.

The security concern is tracked as CVE-2026-24061 and was reported on January 20. It’s trivial to leverage and a number of exploit examples are publicly obtainable.

Bug endured since 2015

Open-source contributor Simon Josefsson explains that the telnetd part of GNU InetUtils comprises a remote-authentication bypass vulnerability attributable to unsanitized atmosphere variable dealing with when spawning ‘/usr/bin/login.’

The flaw happens as a result of telnetd passes the user-controlled USER atmosphere variable on to login(1) with out sanitization. By setting USER to -f root and connecting with the telnet -a command, an attacker can skip authentication and procure root entry.

The difficulty impacts GNU InetUtils variations 1.9.3 (launched in 2015) by way of 2.7, and was patched in model 2.8. For many who can’t improve to the protected launch, mitigation methods embrace disabling the telnetd service or blocking TCP port 23 on all firewalls.

GNU InetUtils is a set of traditional community consumer and server instruments (telnet/telnetd, ftp/ftpd, rsh/rshd, ping, traceroute) maintained by the GNU Venture, and used throughout a number of Linux distributions.

Though Telnet is an insecure, legacy part largely changed by SSH, many Linux and Unix techniques nonetheless embrace it for compatibility or specialised utilization wants. It’s notably prevalent within the industrial sector due to its simplicity and low overhead.

On legacy and embedded units, it might probably run with out updates for greater than a decade, explaining its presence in IoT units, cameras, industrial sensors, and Operational Expertise (OT) networks.

Cristian Cornea of Zerotak, a penetration testing and cybersecurity providers firm, instructed BleepingComputer that important techniques are tough to switch in OT/ICS environments.

The researcher stated that that is typically inconceivable as a result of upgrades are accompanied by reboot operations. “Consequently, we nonetheless encounter techniques working Telnet servers, and even for those who tried to switch them with safer protocols equivalent to SSH, this isn’t possible as a consequence of legacy techniques that stay in operation.”

Extra technical customers nonetheless depend on telnet for some tasks:

One other consumer confirmed the usage of telnet “to hook up with older Cisco units which are well past “Finish of Life.”  Identical SSH concern.”

Nonetheless, units uncovered on the general public web that also have telnet energetic are scarce, prompting many researchers to explain the CVE-2026-24061 vulnerability as much less important.

Menace monitoring agency GreyNoise stories that it has detected real-world exploitation exercise leveraging CVE-2026-24061 in opposition to a small variety of weak endpoints.

The exercise, logged between January 21 and 22, originated from 18 distinctive attacker IPs throughout 60 Telnet periods, all deemed 100% malicious, sending 1,525 packets totaling 101.6 KB.

The assaults abuse the Telnet IAC choice negotiation to inject ‘USER=-f <consumer>’ and grant shell entry with out authentication. GreyNoise says a lot of the exercise seems automated, though it famous a number of “human-at-keyboard” instances.

The assaults various in terminal pace, sort, and X11 DISPLAY values, however in 83.3% of the instances, they focused the ‘root’ consumer.

Within the post-exploitation section, the attackers carried out automated reconnaissance and tried to persist SSH keys and deploy Python malware. GreyNoise stories that these makes an attempt failed on the noticed techniques as a consequence of lacking binaries or directories.

Whereas the exploitation exercise seems restricted in scope and success, probably impacted techniques must be patched or hardened as per the suggestions earlier than the attackers optimize their assault chains.