Full Report
Telnetd uses /usr/bin/login for authentication. To login via telnet, you need to pass in a valid username and password. When calling /usr/bin/login, the placeholder in the template is a %U that gets replaced with the USER environment variable. telnetd performs no sanitization of the USER value when being concatenated. So, /usr/bin/login -h [hostname] "%U" becomes /usr/bin/login -h [hostname] "USER". Setting the user to be -f root will skip authentication remotely and grant a shell to the specified user. The local exploit can be performed with the regular telnet command: USER='-f root' telnet -a [ipaddr]. Obviously, this is really bad if it's exposed to the Internet. If you were exposing telnet in the first place, then you probably have other problems though.
Analysis Summary
# Vulnerability: GNU InetUtils telnetd Authentication Bypass via Environment Variable Injection
## CVE Details
- CVE ID: CVE-2026-24061
- CVSS Score: 9.8 (Critical)
- CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - *Inferred from the nature of argument injection.*
## Affected Systems
- Products: GNU InetUtils telnetd
- Versions: 1.9.3 through 2.7 (Up to and including 2.7-2 is cited as the range prior to the fix/subsequent versions).
- Configurations: Any environment where telnetd is running and exposed externally, allowing environment negotiation.
## Vulnerability Description
The GNU InetUtils `telnetd` service delegates authentication to `/usr/bin/login` by executing it as a subprocess. The flaw lies in insecure direct substitution of the `USER` environment variable, provided by the client using the Telnet protocol's `NEW_ENVIRON` option, into the command line arguments for `/usr/bin/login`. Specifically, a `%U` placeholder is replaced by the unsanitized `USER` value when calling `/usr/bin/login`. By setting the `USER` environment variable to `-f root`, the resulting command executed is effectively `/usr/bin/login -h [hostname] "-f root"`. The `-f` flag instructs `login` to skip standard authentication checks and grant an immediate shell to the specified user (`root` in this case).
## Exploitation
- Status: Actively exploited in the wild (Added to CISA KEV catalog).
- Complexity: Low
- Attack Vector: Network
- Impact Details: Unauthenticated remote attackers can gain immediate root access.
## Impact
- Confidentiality: High (Root access leads to full data disclosure)
- Integrity: High (Root access allows arbitrary system modification)
- Availability: High (Root access allows system shutdown or disruption)
## Remediation
### Patches
- Upgrade GNU InetUtils to version **2.7-2 or later**.
### Workarounds
1. Disable `telnetd` immediately if patching is not possible.
2. Block TCP port 23 at the network perimeter firewall.
3. Migrate all remote access functionality from Telnet to SSH.
4. Restrict access to vulnerable systems using VPNs or strict network segmentation/ACLs.
## Detection
- Indicators of Compromise:
- Remote attacker obtaining a shell session logged in as `root` without corresponding authentication records.
- Unusual network activity directed at TCP port 23.
- Detection methods and tools:
- Check `telnetd` version using tools like `telnetd --version` or OS package inspection (`dpkg -l | grep inetutils`).
- Monitor network traffic for connections to port 23 and analyze logs for suspicious Telnet environment negotiation parameters.
## References
- Vendor Advisory (Commit Fix): hxxps://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
- CVE Details: hxxps://www.cvedetails.com/cve/CVE-2026-24061/
- NVD: hxxps://nvd.nist.gov/vuln/detail/CVE-2026-24061
- Ubuntu Security: hxxps://ubuntu.com/security/CVE-2026-24061