CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access

Source: OffSec

An 11-year-old critical vulnerability in GNU InetUtils telnetd has been discovered that allows unauthenticated remote attackers to bypass authentication entirely and gain immediate root shell access through malicious environment variable injection. This vulnerability, tracked as CVE-2026-24061, has been added to CISA’s Known Exploited Vulnerabilities catalog due to active exploitation in the wild.

Vulnerability Overview

• CVE ID: CVE-2026-24061
• Severity: Critical
• CVSS Score: 9.8
• EPSS Score: 92.57%
• Attack Vector: Network
• Authentication Required: None
• Vulnerable Versions: GNU InetUtils telnetd 1.9.3 through 2.7

Technical Details

The vulnerability stems from a 2015 commit that added a %U placeholder to the login command template. This placeholder is replaced with the USER environment variable, which clients can set through the Telnet protocol’s NEW_ENVIRON option during connection negotiation. The critical flaw is that telnetd performs no sanitization or validation on this value before inserting it into the command arguments.

An attacker exploits this by setting USER to -f root. When telnetd constructs the login command, it becomes:

/usr/bin/login -h [hostname] "-f root"

The -f flag tells login to skip authentication entirely and immediately grant a shell to the specified user—resulting in instant root access without providing any credentials.

Exploitation Is Trivial

Public proof-of-concept code is widely available and exploitation requires just a single command:

USER='-f root' telnet -a <target_ip>

This grants immediate root shell access on any vulnerable system.

Massive Attack Surface

Despite Telnet being considered a legacy protocol, the attack surface remains significant:

• Over 212,000 devices currently run Telnet servers globally
• Approximately 1 million devices listening on port 23
• Particularly affects embedded systems, IoT devices, network appliances, and OT infrastructure

Active Exploitation

CISA has added CVE-2026-24061 to its Known Exploited Vulnerabilities catalog due to active exploitation by threat actors, including the group ‘rwxrwx’. The flaw existed undetected for over 11 years since its introduction in 2015.

Recommended Actions

Immediate Mitigations

• Update GNU InetUtils to version 2.7-2 or later
• If patching isn’t possible, disable telnetd immediately
• Block port 23 at the firewall as a temporary measure

Long-term Solutions

• Migrate from Telnet to SSH for remote access
• Remove telnetd services where not absolutely required
• Implement strict network segmentation for legacy systems requiring Telnet
• Place vulnerable systems behind VPNs or access control mechanisms

Detection and Verification

• Check telnetd version: telnetd --version or dpkg -l | grep inetutils
• Verify service status: systemctl status inetutils-telnetd
• Confirm port 23 isn’t exposed: netstat -tlnp | grep :23
• Review logs for suspicious telnet connections or direct root logins without authentication
• Assume breach for exposed systems and conduct incident response procedures

Why This Matters

This vulnerability is particularly dangerous because:

• No authentication required—any network attacker can exploit it
• No user interaction needed—exploitation is fully automated
• Immediate root access—complete system control from a single command
• Wide deployment—affects critical infrastructure, OT environments, and enterprise networks
• 11 years undetected—demonstrates the risk of legacy protocol maintenance gaps

Organizations running any Telnet services should immediately audit their exposure and assume potential compromise until systems are patched and investigated.