800K+ GNU InetUtils telnetd Instances Exposed to RCE Attacks –

A critical authentication bypass vulnerability has been discovered within the telnetd component of GNU Inetutils, exposing approximately 800,000 internet-accessible Telnet instances to unauthenticated remote code execution (RCE).

Tracked as CVE-2026-24061 with a CVSS score of 9.8, the flaw allows attackers to gain root-level access without valid credentials, posing a severe risk to exposed infrastructure worldwide.

Vulnerability Details

The vulnerability stems from an argument injection flaw in telnetd versions 1.9.3 through 2.7.

The telnetd server fails to sanitize the USER environment variable before passing it to/usr/bin/login, allowing attackers to inject the string “-f root” and bypass authentication entirely.

When an attacker connects using telnet -a or –login with USER set to “-f root”, the login process interprets the “-f” flag as a force-login parameter, automatically granting root access without performing authentication checks.

The vulnerability was introduced in a March 2015 source code commit that remained undetected for nearly 11 years across major Linux distributions, including Debian, Ubuntu, Kali Linux, and Trisquel.

Proof-of-concept exploits have been publicly released and are actively being leveraged in the wild.

GreyNoise detected real-world exploitation within 18 hours of public disclosure, capturing 1,525 packets across 60 Telnet sessions from 18 unique attacker IPs between January 21-22, 2026.

The majority of attacks (83.3%) targeted root user access, with post-exploitation activities including SSH key persistence, system reconnaissance, and attempts to deploy malware.

Organizations should immediately upgrade to GNU InetUtils version 2.8 or later.

For systems unable to upgrade, critical mitigations include: turning off the telnetd service entirely, blocking TCP port 23 at network perimeter firewalls, and restricting Telnet access to trusted clients only.

The Shadowserver Foundation’s Accessible Telnet Report can help organizations identify exposed instances on their networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.