A critical vulnerability in the GNU telnetd service has sent shockwaves through the security community. Tracked as CVE-2026-24061 and carrying a near-perfect CVSS score of 9.8, this flaw allows an unauthenticated remote attacker to establish a Telnet session and obtain a root shell — no credentials required. SafeBreach Labs has published a full root cause analysis alongside a proof-of-concept (PoC) exploit, providing defenders and researchers with everything they need to understand and respond to this threat.

What Is CVE-2026-24061?

CVE-2026-24061 is an authentication-bypass vulnerability affecting the GNU telnetd service from GNU InetUtils, present in all versions up to and including 2.7-2. The flaw was discovered in January 2026 by researcher Kyu Neushwaistein (also known as Carlos Cortes Alvarez).

Although Telnet is widely considered a legacy protocol, it remains active in a surprisingly large number of environments — including Unix/Linux servers, embedded systems, network appliances, and OT-adjacent infrastructure. According to Shodan, more than 212,000 devices globally are currently running a Telnet server, while Censys data shows over 1 million devices listening on TCP port 23. Not all of these are running the vulnerable GNU telnetd, but the potential attack surface is significant.

Root Cause: A Decade-Old Commit

The vulnerability traces back to a single commit made in 2015 — meaning this flaw has been sitting in production systems for over a decade without detection. The problematic change was introduced in telnetd.c and modified a formatting template called login_invocation by adding a new placeholder: %U.

Here is how the flaw works step by step:

  • The login_invocation constant constructs the command line used to invoke /usr/bin/login, the standard Linux binary responsible for user authentication.
  • The %U placeholder, added in 2015, is expanded at runtime by the _var_short_name function inside pty.c.
  • At expansion time, %U is replaced with the value of the USER environment variable — a value that can be set directly by the connecting client via the Telnet protocol's environment negotiation feature.
  • Because the user-supplied value is inserted unsanitized into the /usr/bin/login command line, an attacker can inject arbitrary flags — including the -f flag.

Why the -f Flag Is So Dangerous

The -f flag in the Linux login binary instructs it to skip interactive authentication entirely and proceed directly to establishing a session. When an attacker injects -f root (or similar) into the command line via the manipulated USER environment variable, the telnetd service hands them a fully authenticated root shell — without ever prompting for a password.

The -f flag skips the interactive authentication and just drops us into a root shell, providing an extremely powerful RCE on any server running GNU telnetd up to version 2.7-2. — SafeBreach Labs

This makes CVE-2026-24061 a direct initial-access vector. An attacker with network access to a vulnerable system's port 23 can achieve full root-level remote code execution in seconds, with no credentials and minimal tooling.

The Telnet Protocol's Role in the Attack

The Telnet protocol supports a feature called environment variable negotiation, which allows a client to propose environment variables to the server before a session is established. This is intended to pre-fill information such as the username (autologin). In the exploit chain for CVE-2026-24061, an attacker sends crafted SUBOPTION packets during the Telnet handshake to set the USER environment variable to a malicious value — one that injects the -f flag into the eventual /usr/bin/login invocation.

SafeBreach Labs confirmed this by analyzing the Telnet packet exchange: the final SUBOPTION packets carry the attacker-controlled environment data, which flows directly into the vulnerable code path.

Additional Impact: Arbitrary Environment Variable Control

Beyond the authentication bypass itself, SafeBreach Labs discovered a secondary capability unlocked by this vulnerability. Because the Telnet protocol allows clients to set environment variables that are inherited by telnetd and its child processes, a successful attacker gains the ability to set arbitrary environment variables for any process spawned by the Telnet service. This level of control can be leveraged for further post-exploitation, persistence, or manipulation of child process behavior — extending the blast radius well beyond a simple shell.

Scope and Exposure

The following factors contribute to the severity of CVE-2026-24061:

  • CVSS 9.8 (Critical) — no authentication, no user interaction, full system compromise.
  • Network-exposed service — Telnet runs on port 23, often exposed to untrusted networks in legacy setups.
  • Broad version coverage — all GNU InetUtils telnetd versions through 2.7-2 are affected.
  • Widespread deployment — embedded systems, OT networks, and aging Linux servers frequently leave Telnet enabled.
  • Public PoC available — SafeBreach Labs has released a working exploit on GitHub, lowering the barrier for exploitation.

Recommended Mitigations

Organizations should treat CVE-2026-24061 as a priority remediation item. Key steps include:

  • Disable Telnet immediately where it is not strictly required. Replace it with SSH for all remote administration tasks.
  • Patch GNU InetUtils to a version beyond 2.7-2 once a patched release is available from the upstream maintainers.
  • Audit firewall rules to ensure port 23 is not reachable from untrusted networks or the public internet.
  • Scan your environment using tools like Shodan or Censys queries scoped to your IP ranges to identify exposed Telnet services.
  • Monitor for exploitation attempts — watch for unexpected Telnet connections and anomalous child processes spawned by telnetd.

Conclusion

CVE-2026-24061 is a stark reminder that legacy protocols carry legacy risks — and that a single careless commit can introduce a critical security flaw that lingers undetected for years. The fact that this authentication bypass has existed since 2015, affecting one of Linux's most fundamental remote access services, underscores the need for continuous security research and proactive attack surface reduction. SafeBreach Labs' root cause analysis and PoC exploit provide the security community with the clarity needed to act. If your environment has any exposure to GNU telnetd, treat remediation as urgent — attackers now have everything they need to exploit this at scale.