Home / Blog / CVE-2026-24061

CVE-2026-24061: The 11-Year-Old Telnet Vulnerability Now Under Active Exploitation

A trivial argument injection bug in GNU inetutils telnetd grants instant root access—and it's been there since 2014.

Vulnerability Research February 5, 2026 12 min read
CVE ID CVE-2026-24061
Severity CRITICAL - CVSS 9.8
Affected Software GNU inetutils telnetd 1.9.3 through 2.7
Vulnerability Type Authentication Bypass via Argument Injection
Exploitation Active in the wild since January 22, 2026
Fix Available Yes - GNU inetutils 2.8+

In January 2026, security researchers disclosed what may be one of the most elegantly simple authentication bypasses in recent memory. CVE-2026-24061 allows remote attackers to gain root access on any system running the GNU inetutils telnet daemon—using nothing more than a specially crafted username. The vulnerability had existed undetected for 11 years.

The Vulnerability Explained

The flaw stems from how telnetd handles the USER environment variable during login. When a user connects with telnet's -a (automatic login) option, the client sends the local username to the server via the USER environment variable. The telnetd daemon then passes this value to login as a command-line argument.

The problem? No validation. No sanitization. The value is passed directly.

The login command accepts a -f flag that skips password authentication entirely—it's designed for trusted contexts where authentication has already occurred (like SSH's public key authentication calling login to set up the session).

By setting the username to -f root, an attacker causes telnetd to effectively execute:

login -f root

This tells login to authenticate the user "root" without requiring a password. The system obliges, and the attacker receives a root shell.

Impact: Any system running GNU inetutils telnetd versions 1.9.3 through 2.7 with the telnet service exposed is vulnerable to complete system compromise. No credentials required. No prior access needed. The attack takes seconds.

A Timeline of Neglect

The timeline of this vulnerability illustrates a broader problem in security: legacy services that "just work" often escape the scrutiny they deserve.

2014
GNU inetutils 1.9.3 released containing the vulnerable code. The automatic login feature passes user-supplied data directly to the login command without sanitization.
2014-2025
The vulnerability remains undetected for over a decade. Telnet usage declines as SSH becomes the standard, but the service persists in legacy environments, embedded systems, and internal networks.
January 2026
Security researchers discover and report the vulnerability. CVE-2026-24061 is assigned with a CVSS score of 9.8 (Critical).
January 22, 2026
First wave of exploitation observed in the wild. Initial activity appears to be reconnaissance—probing for vulnerable systems.
January 24-27, 2026
Exploitation shifts from probing to active weaponization. Multiple distinct attack campaigns observed targeting exposed telnet services.
January 2026
GNU inetutils 2.8 released with the fix. Patch adds proper validation of the USER environment variable before passing to login.

The Attack Surface

The obvious question: who still runs telnet in 2026?

The answer is sobering. Shodan queries revealed over 214,000 internet-exposed hosts responding on port 23 (telnet). The largest concentrations appeared in:

  • China
  • Brazil
  • Canada
  • Argentina
  • United States

But raw exposure numbers don't tell the whole story. Telnet persists in specific environments where it's often overlooked:

Embedded Systems and IoT

Many industrial control systems, network devices, and IoT equipment still ship with telnet enabled by default. Updating firmware is often impractical or impossible, and these devices may run for years without security patches.

Legacy Enterprise Systems

Mainframes, older Unix systems, and applications that predate SSH often rely on telnet for remote administration. Migration projects stall, and "temporary" telnet access becomes permanent.

Internal Networks

Organizations that block telnet at the perimeter may still run it internally. The assumption that internal networks are trusted leads to lax controls—until an attacker gains initial access through another vector.

Development and Testing Environments

Telnet's simplicity makes it convenient for testing and debugging. Development environments with telnet enabled sometimes make it to production or remain accessible longer than intended.

Why This Matters

CVE-2026-24061 serves as a case study in several security failures:

1. The Danger of "Nobody Uses That"

Telnet's perceived obsolescence meant reduced security scrutiny. Researchers focused on modern protocols while a trivial bypass sat in widely-deployed code for over a decade. Legacy doesn't mean inactive—it often means unpatched.

2. Argument Injection: An Evergreen Bug Class

Passing user input directly to command-line utilities is a mistake as old as shell scripting itself. Yet it persists because:

  • It's convenient for developers
  • It works in testing (with normal inputs)
  • The dangerous cases aren't immediately obvious

The lesson applies broadly: any time user-controlled data reaches a command interpreter (shell, SQL, LDAP, etc.), injection is possible.

3. Trust Boundaries in Unix Design

The login -f mechanism exists for legitimate reasons—it allows pre-authenticated sessions to set up proper login environments. The problem wasn't the feature; it was telnetd's assumption that it controlled the inputs to login. When telnetd passed user-supplied data without validation, it violated the trust boundary that -f assumes.

Detection and Response

Identifying Vulnerable Systems

Organizations should immediately inventory systems running telnet services:

# Find listening telnet services
netstat -tlnp | grep :23
ss -tlnp | grep :23

# Check inetutils version (if applicable)
telnetd --version 2>&1 | head -1

# Network scan for telnet (internal ranges)
nmap -p 23 --open 10.0.0.0/8 192.168.0.0/16

Network-Level Detection

IDS/IPS signatures can detect exploitation attempts by matching the characteristic -f root pattern in telnet sessions. The attack has a distinctive signature because the malicious username must be sent during connection establishment.

Immediate Mitigation

If patching immediately isn't possible:

  • Disable telnet: If the service isn't strictly required, disable it entirely
  • Firewall restrictions: Limit telnet access to specific trusted IP addresses
  • Network segmentation: Isolate systems that must run telnet from critical infrastructure
  • Monitor for exploitation: Alert on any telnet authentication events, especially successful root logins

Long-Term Remediation

The real fix is straightforward:

  1. Upgrade to GNU inetutils 2.8 or later
  2. Better yet, migrate to SSH and disable telnet entirely
  3. For devices that can't be updated, implement compensating controls (network isolation, monitoring, access restrictions)

Indicators of Compromise

Organizations should hunt for signs of exploitation:

Log Analysis

  • Review /var/log/auth.log or /var/log/secure for telnet-related root logins
  • Look for login entries without corresponding password authentication
  • Check for unusual login times or source addresses

Network Traffic

  • Telnet sessions containing -f in the username field
  • Rapid succession of telnet connections from single sources
  • Telnet connections from unexpected geographic locations

System State

  • Unexpected root processes or shells
  • New user accounts or SSH keys
  • Modified system binaries or configurations
  • Persistence mechanisms (cron jobs, systemd units, rc scripts)

Lessons for Security Programs

This vulnerability reinforces several security program imperatives:

Asset Inventory

You can't secure what you don't know exists. Comprehensive asset inventory—including services running on each system—is foundational. Many organizations discovered telnet instances they didn't know about when responding to this CVE.

Legacy System Management

Legacy systems require explicit security decisions, not neglect. Either bring them under active management (patching, monitoring, access control) or isolate them until decommissioning.

Defense in Depth

No single vulnerability should enable complete compromise. Network segmentation, privilege limitations, and monitoring provide defense even when individual components fail.

Vulnerability Scanning Limitations

Traditional vulnerability scanners may not detect this issue if they don't have authenticated access to determine the inetutils version. Network-based detection of the vulnerability itself requires active exploitation testing, which most scanners avoid.

The Broader Context

CVE-2026-24061 arrived in an era of sophisticated supply chain attacks, zero-click exploits, and AI-powered offensive tools. Yet this 11-year-old bug—exploitable with nothing more than a telnet client—achieved what advanced attacks strive for: unauthenticated remote root.

The security community's focus on emerging threats is appropriate, but this incident reminds us that the fundamentals matter. Legacy systems, deprecated protocols, and "obvious" bug classes continue to provide reliable access for attackers.

Sometimes the forgotten attack surface is the most dangerous.

Action Required: If your organization has any telnet services—exposed externally or internally—prioritize patching or disabling them immediately. The simplicity of exploitation means automated attacks will continue scanning for vulnerable systems for years to come.

CVE-2026-24061 Telnet Authentication Bypass GNU inetutils Critical Vulnerability Legacy Systems
← Back to Blog

Concerned About Legacy Systems?

Our vulnerability assessments identify forgotten attack surfaces and legacy risks in your environment.

Request Assessment Explore Vulnerability Assessments