A deep dive into the 9.8 CVSS authentication bypass in GNU Inetutils that's currently being exploited in the wild.

Introduction

Although Telnet is widely regarded as a legacy protocol for remote access and command execution, it remains enabled across a surprising number of modern and legacy environments. These include Unix/Linux systems, embedded devices, network appliances, and operational technology (OT)–adjacent infrastructure, where outdated services are often retained for compatibility or ease of management.

According to Shodan, a search engine for internet-connected devices and services, over 222,000 systems worldwide are currently exposing a Telnet service. While not all of these systems necessarily run the vulnerable GNU telnetd implementation, the sheer scale of exposed Telnet endpoints highlights a substantial and persistent attack surface.

In this context, CVE-2026–24061 carries particularly severe implications. With a CVSS score of 9.8 (Critical), the vulnerability enables unauthenticated, remote attackers to gain immediate root-level access, making it a highly effective initial-access vector. Systems exposing Telnet to untrusted networks are therefore at immediate risk of full compromise, especially in environments where legacy services are rarely monitored or patched.

The Vulnerability at a Glance

CVE-2026–24061 is a critical (CVSS 9.8) authentication bypass vulnerability in the telnetd daemon from GNU Inetutils (since version 1.9.3 up to and including version 2.7). It allows a remote, unauthenticated attacker to gain immediate root access by injecting a specially crafted value into the USER environment variable during the Telnet negotiation phase.

Severity & Classification

The following metrics provide a structured breakdown of the vulnerability's severity according to the CVSS 3.1 scoring framework, highlighting why this issue is considered critical and easily exploitable in real-world environments.

• Base score : 9.8 — Critical
• Attack vector: Network
• Attack complexity: Low
• Privileges required: None
• User interaction: None
• Scope: Unchanged
• Confidentiality: High
• Integrity impact: High
• Availability impact: High
• CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Classification: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The vulnerability stems from improper handling of argument boundaries when constructing a command-line invocation of the system login utility, allowing attacker-controlled data to alter execution semantics rather than being treated as passive input.

Vulnerability Overview

The vulnerability is rooted in a command injection flaw during the Telnet environment negotiation phase (specifically via NEW-ENVIRON). When a client connects, telnetd accepts user-defined environment variables to facilitate the session setup. Because the daemon fails to sanitize the USER variable, an attacker can append command-line arguments that are later passed directly to the /usr/bin/login binary. By supplying a payload such as -f root, the attacker forces the login process to interpret the -f flag — a parameter designed to "force" a login by bypassing the standard password authentication check. This effectively misleads the system into treating the unauthenticated remote connection as a pre-authenticated local transition, granting immediate, high-privileged access to the root account.

Root Cause Analysis

The vulnerability was introduced in a commit dated March 19, 2015, which can be traced to the following change in the GNU Inetutils codebase:

• https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87

This commit introduced new logic related to how telnetd constructs the command used to invoke the system login process.

Examining the added code reveals the construction of a command-line–like string responsible for executing /usr/bin/login along with its arguments. Notably, the commit modifies a constant template used to build this invocation by introducing a new placeholder: %U. The login binary itself is referenced via the PATH_LOGIN constant, which resolves to /usr/bin/login.

At first glance, the change appears minor, as it does not alter existing logic but instead appends new behavior. A closer look at the utility.c shows the addition of a new switch case associated with the character U, which is used during variable expansion.

To understand why this addition is dangerous, it is necessary to review how Telnet authentication is implemented. When a user connects via Telnet, the telnetd daemon delegates authentication to the system's login(1) executable. This binary is responsible for validating credentials and, upon success, spawning an interactive shell for the user.

The newly added %U placeholder appears in telnetd.c (approximately lines 49–63) as part of a formatting template named login_invocation. This template defines how the final command-line for login is assembled at runtime.

Searching for references to login_invocation shows that it is consumed by the start_login function, which implements the main authentication flow. This function is located in pty.c and is responsible for preparing and executing the login process.

Within start_login, the expand_line function is called using login_invocation as input. Through several layers of processing, execution eventually reaches the _var_short_name function, where individual placeholders are expanded.

The previously mentioned switch case for %U is implemented inside _var_short_name. This logic replaces the %U placeholder with the value of the USER environment variable.

Crucially, the USER environment variable is not a trusted value. It can be supplied directly by the remote client during the Telnet NEW-ENVIRON negotiation phase, making it fully attacker-controlled.

Because the expanded value is inserted directly into the argument list used to invoke /usr/bin/login, an attacker can inject additional command-line options rather than a simple username. Revisiting the start_login logic confirms that no argument boundary enforcement or sanitization occurs at this stage.

Reviewing the available options supported by the login(1) binary reveals a particularly dangerous flag: -f. When supplied, this option instructs login to skip interactive authentication entirely, assuming that the user has already been authenticated by a trusted source.

By injecting -f root via the USER environment variable, an attacker can force telnetd to execute /usr/bin/login in a pre-authenticated mode. The result is an immediate root shell without any password prompt, effectively granting remote code execution with the highest possible privileges on affected systems running GNU telnetd up to version 2.7–2.

Patch Analysis

The vulnerability was discovered and responsibly disclosed by Kyu Neushwaistein (aka Carlos Cortes Alvarez) on 2026–01–19.

An initial fix was prepared and committed by Paul Eggert on 2026–01–20, addressing the unsafe handling of user-controlled environment variable expansion within telnetd.

Shortly after, Simon Josefsson enhanced the fix to cover additional expansion paths and related edge cases, further hardening the code against similar argument injection issues.

Together, these patches introduce stricter sanitization rules for variables used during expansion, preventing attacker-supplied values from being interpreted as command-line arguments.

The relevant commits:

• Initial fix: https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b

• Follow-up hardening: https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc

Proof of Concept (PoC)

The target system (Ubuntu VM) was initially scanned to identify exposed services and potential attack surfaces.

A full service enumeration scan revealed that the Telnet service (TCP/23) was active and accessible from the network, indicating a potentially high-risk configuration due to Telnet's lack of encryption and historical vulnerabilities.

Based on the scan results, further validation was performed to determine whether the detected Telnet service was associated with a vulnerable version (optional but recommended). An Nmap version detection scan was executed using both the version detection engine and scripting engine. However, the scan did not return any meaningful or conclusive version information that could confirm or deny vulnerability status.

Given the simplicity of the exploit and the nature of the identified service, exploitation was attempted directly. The exploit attempt was successful, confirming that the service is affected by CVE-2026–24061.

Upon exploitation, an unauthenticated Telnet connection was established, resulting in immediate root-level access to the target system without requiring valid credentials. This demonstrates a critical security flaw that allows full system compromise.

Impact & Notes

This is basically a free root shell over the network if telnetd is exposed. In real-world scenarios, telnet is often found on legacy embedded systems, routers, or misconfigured servers that never got patched. Active exploitation is already being reported in the wild, and CISA has added it to the KEV catalog.

Mitigation Recommendations

• Upgrade to GNU Inetutils >= 2.7–2 (patches are out).
• Disable telnetd entirely and use SSH instead.
• Block port 23 at the firewall if telnet isn't needed.

Disclaimer

This PoC is for educational and authorized testing purposes only. Do not use it on systems you don't own or have explicit permission to test.

References

• https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-24061
• https://www.cve.org/CVERecord?id=CVE-2026-24061
• https://www.openwall.com/lists/oss-security/2026/01/20/2
• https://www.openwall.com/lists/oss-security/2026/01/20/8
• https://ubuntu.com/security/CVE-2026-24061

Enjoyed this deep dive? Follow me for more cybersecurity write-ups, CVE hunting tips, and vulnerability analysis!

If you have questions or want to discuss, comment below or connect with me on LinkedIn.