A coordinated campaign is exploiting CVE-2026-24061, a critical authentication-bypass flaw in GNU InetUtils’ telnetd that allows attackers to gain root by injecting a crafted USER environment variable. Although observed exploitation is limited so far, affected systems should upgrade to GNU InetUtils 2.8 or disable telnetd/block TCP port 23 to prevent compromise. #CVE-2026-24061 #GNUInetUtils
Keypoints
- The vulnerability occurs because telnetd passes the user-controlled USER environment variable directly to /usr/bin/login without sanitization.
- CVE-2026-24061 affects GNU InetUtils versions 1.9.3 through 2.7 and was patched in version 2.8.
- Exploit examples are public and attackers abuse Telnet IAC negotiation to inject ‘USER=-f’ and bypass authentication to obtain root.
- GreyNoise observed real-world exploitation attempts from 18 IPs across 60 Telnet sessions, with post-exploitation attempts to persist SSH keys and deploy Python malware.
- Recommended mitigations are upgrading to InetUtils 2.8, disabling the telnetd service, or blocking TCP port 23—especially on legacy, embedded, and OT/ICS devices.