A coordinated marketing campaign has been noticed concentrating on a lately disclosed critical-severity vulnerability that has been current within the GNU InetUtils telnetd server for 11 years.
The safety subject is tracked as CVE-2026-24061 and was reported on January 20. It’s trivial to leverage and a number of exploit examples are publicly out there.
Bug persevered since 2015
Open-source contributor Simon Josefsson explains that the telnetd element of GNU InetUtils accommodates a remote-authentication bypass vulnerability attributable to unsanitized surroundings variable dealing with when spawning ‘/usr/bin/login.’
The flaw happens as a result of telnetd passes the user-controlled USER surroundings variable on to login(1) with out sanitization. By setting USER to -f root and connecting with the telnet -a command, an attacker can skip authentication and procure root entry.
The difficulty impacts GNU InetUtils variations 1.9.3 (launched in 2015) by way of 2.7, and was patched in model 2.8. For individuals who can not improve to the secure launch, mitigation methods embody disabling the telnetd service or blocking TCP port 23 on all firewalls.
GNU InetUtils is a set of basic community shopper and server instruments (telnet/telnetd, ftp/ftpd, rsh/rshd, ping, traceroute) maintained by the GNU Mission, and used throughout a number of Linux distributions.
Though Telnet is an insecure, legacy element largely changed by SSH, many Linux and Unix techniques nonetheless embody it for compatibility or specialised utilization wants. It’s notably prevalent within the industrial sector due to its simplicity and low overhead.
On legacy and embedded gadgets, it will probably run with out updates for greater than a decade, explaining its presence in IoT gadgets, cameras, industrial sensors, and Operational Know-how (OT) networks.
Cristian Cornea of Zerotak, a penetration testing and cybersecurity providers firm, instructed BleepingComputer that important techniques are troublesome to switch in OT/ICS environments.
The researcher stated that that is generally unimaginable as a result of upgrades are accompanied by reboot operations. “Consequently, we nonetheless encounter techniques operating Telnet servers, and even in the event you tried to switch them with safer protocols reminiscent of SSH, this isn’t possible attributable to legacy techniques that stay in operation.”
Extra technical customers nonetheless depend on telnet for some tasks:
One other consumer confirmed the usage of telnet “to hook up with older Cisco gadgets which can be well past “Finish of Life.” Similar SSH subject.”
Nevertheless, gadgets uncovered on the general public web that also have telnet lively are scarce, prompting many researchers to explain the CVE-2026-24061 vulnerability as much less important.
Risk monitoring agency GreyNoise stories that it has detected real-world exploitation exercise leveraging CVE-2026-24061 in opposition to a small variety of weak endpoints.
The exercise, logged between January 21 and 22, originated from 18 distinctive attacker IPs throughout 60 Telnet classes, all deemed 100% malicious, sending 1,525 packets totaling 101.6 KB.
Supply: GreyNoise
The assaults abuse the Telnet IAC choice negotiation to inject ‘USER=-f <consumer>’ and grant shell entry with out authentication. GreyNoise says many of the exercise seems automated, though it famous a couple of “human-at-keyboard” instances.
The assaults various in terminal velocity, kind, and X11 DISPLAY values, however in 83.3% of the instances, they focused the ‘root’ consumer.
Within the post-exploitation section, the attackers performed automated reconnaissance and tried to persist SSH keys and deploy Python malware. GreyNoise stories that these makes an attempt failed on the noticed techniques attributable to lacking binaries or directories.
Whereas the exploitation exercise seems restricted in scope and success, probably impacted techniques must be patched or hardened as per the suggestions earlier than the attackers optimize their assault chains.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising developments, and evaluate their priorities as they head into 2026.
Find out how prime leaders are turning funding into measurable affect.
