Full Report
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. "Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass
Analysis Summary
# Vulnerability: Remote Authentication Bypass in GNU InetUtils telnetd
## CVE Details
- CVE ID: CVE-2026-24061
- CVSS Score: 9.8 (/10.0) (Critical)
- CWE: Insufficient Input Validation (Inferred)
## Affected Systems
- Products: GNU InetUtils telnet daemon (telnetd)
- Versions: All versions from 1.9.3 up to and including 2.7.
- Configurations: Systems runningInetUtils `telnetd` where the service is running and permits connections.
## Vulnerability Description
The `telnetd` executable invokes `/usr/bin/login`, which normally runs with root privileges. The vulnerability arises because `telnetd` unsafely passes the value of the `USER` environment variable received from a remote client directly as the last parameter to `login(1)`. A remote attacker can craft a request where the `USER` environment variable contains the string `"-f root"`. The `login(1)` utility interprets the `-f` parameter as instructions to bypass normal authentication checks and log the user in directly as the specified user, in this case, 'root'. This results in a remote, unauthenticated bypass leading to root access. The vulnerability was introduced around March 19, 2015.
## Exploitation
- Status: Observed active attempts in the wild (21 unique IPs observed attempting exploitation). PoC mechanism described via public mailing list.
- Complexity: Low (Remote client can set a crafted environment variable).
- Attack Vector: Network
## Impact
- Confidentiality: High (Root access allows reading all system files)
- Integrity: High (Root access allows modification or destruction of all data)
- Availability: High (Root access allows system disruption)
## Remediation
### Patches
- Apply the latest available patch from the GNU InetUtils project addressing CVE-2026-24061 (refer to vendor advisories for the exact version containing the fix).
### Workarounds
1. **Disable `telnetd` server:** Temporarily stop or disable the service entirely until patched.
2. **Restrict Network Access:** Limit access to the telnet port (TCP/23) only to trusted clients/networks (e.g., via firewall rules).
3. **Custom Login Tool:** Configure `telnetd` to use a custom `login(1)` tool that explicitly ignores or sanitizes the `-f` parameter.
## Detection
- **Indicators of Compromise:** Look for unusual network connections to TCP port 23 being followed immediately by shell invocation or command execution, specifically requests using the `-f root` syntax in session initialization data.
- **Detection Methods and Tools:** Monitor network traffic destined for port 23 for unusual environment variable content in the initial connection handshake. Threat intelligence indications show scanning activity originating from various regions globally.
## References
- Vendor Advisory (Implicit via oss-security mailing list post): https://seclists.org/oss-sec/2026/q1/89
- NIST NVD Record: https://nvd.nist.gov/vuln/detail/CVE-2026-24061
- GreyNoise Monitoring: https://viz.greynoise.io/tags/inetutils-telnetd--f-auth-bypass-attempt?days=1