Critical Vulnerability in GNU InetUtils Exposes 800,000 Telnet Servers to Remote Code Execution
A severe security flaw has been identified in the telnetd component of GNU InetUtils, potentially compromising approximately 800,000 internet-accessible Telnet servers. This vulnerability, designated as CVE-2026-24061 with a CVSS score of 9.8, enables unauthenticated attackers to execute remote code, granting them root-level access without valid credentials.
Understanding the Vulnerability
The issue arises from an argument injection flaw present in telnetd versions 1.9.3 through 2.7. Specifically, the telnetd server fails to properly sanitize the USER environment variable before passing it to the /usr/bin/login program. This oversight allows attackers to inject the string -f root, effectively bypassing authentication mechanisms.
When an attacker initiates a connection using telnet with the -a or –login option and sets the USER variable to -f root, the login process interprets the -f flag as a directive to force login as the root user. Consequently, the system grants root access without performing standard authentication checks.
This vulnerability was inadvertently introduced in a source code commit from March 2015 and remained undetected for nearly 11 years. It affects major Linux distributions, including Debian, Ubuntu, Kali Linux, and Trisquel.
Real-World Exploitation and Proof-of-Concept
Proof-of-concept (PoC) exploits for this vulnerability have been publicly released and are actively being utilized. Security firm GreyNoise observed real-world exploitation within 18 hours of the public disclosure, capturing 1,525 packets across 60 Telnet sessions from 18 unique attacker IP addresses between January 21 and 22, 2026.
Notably, 83.3% of these attacks targeted root user access. Post-exploitation activities included establishing SSH key persistence, conducting system reconnaissance, and attempting to deploy malware.
Mitigation Strategies
Organizations are strongly advised to upgrade to GNU InetUtils version 2.8 or later to address this critical vulnerability. For systems where immediate upgrading is not feasible, the following mitigations are recommended:
– Disable the telnetd service entirely: Given the inherent insecurity of the Telnet protocol, turning off the service is the preferred approach.
– Block TCP port 23 at network perimeter firewalls: This measure prevents external access to the Telnet service.
– Restrict Telnet access to trusted clients only: Implement access controls to limit connections to known and trusted IP addresses.
The Shadowserver Foundation provides an Accessible Telnet Report to assist organizations in identifying exposed instances within their networks.
Broader Implications and Recommendations
This vulnerability underscores the persistent risks associated with legacy protocols like Telnet, which lack modern security features such as encryption. Organizations should consider transitioning to more secure alternatives like SSH (Secure Shell) for remote administration tasks.
Regular security audits and vulnerability assessments are crucial in identifying and mitigating potential threats. Implementing intrusion detection systems (IDS) and intrusion prevention systems (IPS) can provide additional layers of defense against exploitation attempts.
Furthermore, organizations should stay informed about security advisories and promptly apply patches to maintain the integrity and security of their systems.
Conclusion
The discovery of CVE-2026-24061 in GNU InetUtils’ telnetd component highlights the critical importance of proactive security measures. By promptly upgrading affected systems, implementing recommended mitigations, and transitioning away from outdated protocols, organizations can significantly reduce their exposure to such vulnerabilities.
