Full Report
Critical vuln flew under the radar for a decade A recently disclosed critical vulnerability in the GNU InetUtils telnet daemon (telnetd) is "trivial" to exploit, experts say.…
Analysis Summary
# Vulnerability: Critical Authentication Bypass in GNU InetUtils telnetd leading to Root Access
## CVE Details
- CVE ID: CVE-2026-24061
- CVSS Score: 9.8 (Critical)
- CWE: Argument Injection (Implied)
## Affected Systems
- Products: GNU InetUtils telnet daemon (telnetd)
- Versions: Introduced in a May 2015 update (Exact range requires checking specific vendor packaging but covers versions released since May 2015).
- Configurations: Any system running the vulnerable `telnetd`.
## Vulnerability Description
The vulnerability exists in how the `telnetd` server invokes `/usr/bin/login`. The server passes the value of the `USER` environment variable received from the client as the last parameter to `/usr/bin/login` (which normally runs as root). By supplying a carefully crafted `USER` environment value of the string **`-f root`**, and sending this via the `telnet(1) -a` or `--login` parameter, an attacker can bypass normal authentication processes and be automatically logged in as root. This is an argument injection flaw.
## Exploitation
- Status: Exploitation underway (GreyNoise data shows active scanning attempts).
- Complexity: Low (Described as "trivial" and "straightforward").
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Root access allows viewing all system data).
- Integrity: High (Root access allows modification or deletion of all system data/configurations).
- Availability: High (Root access can lead to system compromise or denial of service).
## Remediation
### Patches
- Users should update to the latest version of `telnetd` or the relevant GNU InetUtils package addressing CVE-2026-24061. (Specific patch version numbers are not provided in the source material, requiring consulting vendor advisories.)
### Workarounds
1. **Decommissioning:** The primary recommendation from multiple cybersecurity authorities is to **decommission all telnet services** entirely, as the protocol is inherently insecure (unencrypted).
2. **Alternative:** Upgrade to a more secure alternative protocol, such as SSH.
3. **Access Restriction:** If decommissioning is not immediately possible, restrict network access to the telnet port (usually TCP/23) to only trusted clients.
## Detection
- Indicators of Compromise: Look for remote connection attempts utilizing the `telnet -a` or `--login` options, or environment variables containing `-f root` targeting the login process.
- Detection Methods and Tools: Monitoring network traffic for unencrypted login attempts on port 23. Security monitoring tools (like IDS/IPS) should be updated to look for signatures related to this argument injection attack technique.
## References
- Vendor Advisory (General): hxxps://seclists.org/oss-sec/2026/q1/89
- GreyNoise Activity Data: hxxps://viz.greynoise.io/tags/inetutils-telnetd--f-auth-bypass-attempt?days=1
- CERT-FR Advisory: hxxps://www.cert.ssi.gouv.fr/actualite/CERTFR-2026-ACT-003/
- Canada Cyber Advisory: hxxps://www.cyber.gc.ca/en/alerts-advisories/gnu-security-advisory-av26-047
- Belgium CCB Advisory: hxxps://ccb.belgium.be/advisories/warning-critical-authentication-bypass-gnu-inetutils-telnetd-patch-immediately