CVE-2026-24061 is a critical authentication bypass vulnerability in the telnetd service of GNU Inetutils versions 1.9.3 through 2.7.It allows remote attackers to gain root access by setting the USER environment variable to “-f root”, bypassing normal login credentials.
Vulnerability Details
This flaw, present since around 2015 (nearly 11 years), stems from improper sanitization of the USER environment variable before passing it to /usr/bin/login, enabling argument injection. CVSS v3.1 base score is 9.8 (Critical), with network attack vector, low complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.
Affected Systems
Primarily impacts Linux, BSD, OT, and embedded systems running vulnerable GNU Inetutils telnetd, with an estimated 212,396 exposed Telnet servers internet-wide. Distributions like Debian bookworm (pre-2:2.4-2+deb12u2) and Ubuntu are affected until patched.
Exploitation and Risks
Active exploitation has been observed, including malware deployment and persistence establishment; PoC exploits are publicly available. It poses a direct initial access risk for internet-facing Telnet services.
Mitigation
Update to GNU Inetutils 2.7-2 or later; disable Telnet if unused, as it’s inherently insecure.Vendors like Red Hat, Ubuntu, and Debian have issued patches or advisories
