Hackers Exploit telnetd Vulnerability for Root Access

A critical authentication bypass vulnerability, identified as CVE-2026-24061, within the GNU InetUtils telnetd server is currently under active exploitation. Threat actors are leveraging this flaw to gain unauthenticated root access to Linux systems.

The vulnerability, which affects GNU InetUtils versions 1.9.3 through 2.7, enables remote code execution by manipulating the USER environment variable passed during the Telnet negotiation phase.

Grey Noise has detected a coordinated exploitation campaign targeting Telnet services (TCP/23) using the telnetd -f authentication bypass flaw.

The attack leverages a command injection vulnerability where the Telnet daemon passes an unsanitized USER environment variable to the /usr/bin/login binary. By supplying the value -f root, attackers force the login program to treat the session as pre-authenticated, bypassing all credential checks and granting an immediate root shell.

Recent analysis of honeypot traffic has captured 60 unique exploitation attempts from 18 distinct source IP addresses. These attacks range from opportunistic scanning to targeted persistence mechanisms, including SSH key injection and malware deployment.

telnetd Vulnerability CVE-2026-24061

The vulnerability resides in the way telnetd invokes the login program. Typically, telnetd executes /usr/bin/login (running as root) and passes the client-supplied USER variable as the final argument.

The exploitation flow proceeds as follows:

1. Negotiation: The attacker initiates a Telnet connection and sends a malicious ENVIRON variable.
2. Injection: The USER variable is set to -f root.
3. Execution: telnetd executes login -p -h <host> -f root.
4. Bypass: The -f flag instructs login to skip authentication for the specified user (root), granting a shell.

Analysis of captured attack traffic reveals distinct patterns in attacker behavior. The most prolific source, 178.16.53[.]82, accounted for 12 sessions targeting 10 unique systems, utilizing a consistent payload configuration (9600 baud, XTERM-256COLOR).

Attackers are employing diverse payload configurations to evade simple signature detection:

• Terminal Speed: 38400 baud and 9600 baud are common, though some attacks negotiate 0,0 (no speed).
• Terminal Type: Payloads vary between standard XTERM-256COLOR, compatibility mode xterm-256color, and generic UNKNOWN types.
• Target Users: While root is the primary target (83% of attempts), probes for nobody, daemon, and randomized users like nonexistent123 have been observed.

Upon gaining access, attackers immediately execute reconnaissance commands (uname -a, id, cat /etc/passwd) often wrapped in delimiters (e.g., S…EU…blah) for automated parsing by C2 infrastructure.

More advanced actors attempt to establish persistence. One campaign from 216.106.186[.]24 attempted to append a 3072-bit RSA key to ~/.ssh/authorized_keys. This same actor also attempted to fetch a second-stage Python payload (apps[.]py) from a distribution server, indicating a potential botnet recruitment drive.

Indicators of Compromise (IOCs)

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.