An 11-year-old authentication bypass vulnerability hiding in GNU InetUtils telnetd has resurfaced as one of the most immediately exploitable flaws of 2026. CVE-2026-24061 allows any unauthenticated remote attacker to obtain a root shell on affected systems with a single command — no credentials, no user interaction, no complexity. With over 200,000 Telnet servers publicly exposed and CISA confirming active exploitation in the wild, this vulnerability demands urgent attention from every organization still running legacy telnetd infrastructure.

Vulnerability Overview

CVE-2026-24061 is a critical authentication bypass affecting GNU InetUtils telnetd versions 1.9.3 through 2.7. The flaw originates from a 2015 code commit that introduced a %U placeholder into the login command template — a placeholder populated directly from the attacker-controlled USER environment variable with zero sanitization.

The vulnerability enables unauthenticated remote attackers to inject arbitrary command-line flags into the login subprocess, bypassing all authentication and immediately granting root shell access over the network.

  • CVE ID: CVE-2026-24061
  • Severity: Critical
  • CVSS Score: 9.8
  • EPSS Score: 29%
  • Published: January 19, 2026
  • Impact: Remote Code Execution as root
  • Authentication Required: None
  • Affected Versions: GNU InetUtils telnetd 1.9.3 through 2.7-2

Technical Breakdown: How the Flaw Works

GNU InetUtils telnetd delegates authentication to /usr/bin/login by spawning it as a subprocess. During connection setup, telnetd constructs a command-line string for that login process, inserting user-provided data to pass context such as the connecting hostname and username.

The root cause is unsafe string interpolation of client-controlled data. The %U placeholder in the login command template is replaced with the value of the USER environment variable. The Telnet protocol's NEW_ENVIRON option allows clients to set environment variables during the connection negotiation handshake — meaning an attacker can supply any value they choose for USER before authentication ever begins.

Because telnetd performs no validation or sanitization on this value, an attacker sets USER to -f root. The resulting login command becomes:

/usr/bin/login -h [hostname] "-f root"

The -f flag instructs login to skip authentication entirely and immediately grant a shell to the named user. The result is instant, unauthenticated root access.

The Vulnerable Code Path

The problem lived in telnetd/utility.c, specifically in the format string substitution logic. The case 'U' branch fetched the USER environment variable and returned it verbatim:

The fix, introduced across two upstream commits, added a sanitize() function that rejects values beginning with a dash (-) or containing shell metacharacters. Every format string substitution point — not just USER, but also hostname, terminal type, and line — was updated to pass through this sanitizer, making the second commit the more complete and correct remediation.

Exploitation: Trivially Simple

Unlike many critical vulnerabilities that require multi-stage exploit chains or specialized tooling, CVE-2026-24061 is exploitable with a standard Telnet client. The proof-of-concept is a single shell command:

USER='-f root' telnet -a <target-ip>

Setting the USER environment variable before invoking the Telnet client causes that value to be transmitted via the NEW_ENVIRON option during the protocol handshake. The -a flag enables automatic login using the current environment — delivering the injected argument directly into telnetd's login command construction. No exploit framework, no shellcode, no privilege escalation chain required.

Impact and Real-World Exposure

The severity of CVE-2026-24061 extends well beyond its technical simplicity. Several factors compound the risk for affected organizations:

  • Massive attack surface: Internet scans reveal over 212,000 devices currently running Telnet servers globally, with approximately 1 million devices listening on port 23.
  • Active exploitation confirmed: CISA has added CVE-2026-24061 to its Known Exploited Vulnerabilities (KEV) catalog, with threat actors including the group rwxrwx observed actively exploiting the flaw.
  • No authentication required: The absence of any prerequisite — no account, no credentials, no prior foothold — makes this trivially exploitable by automated scanning tools and opportunistic attackers alike.
  • Complete system compromise: Successful exploitation delivers an immediate root shell, granting full control: data theft, backdoor installation, lateral movement, and service disruption are all immediately within reach.
  • 11 years of silent exposure: The vulnerable code was introduced in 2015, meaning affected systems have been silently exploitable for over a decade.

Affected Systems and Infrastructure

While Telnet is widely regarded as a deprecated protocol unsuitable for modern environments, it persists in surprising places. CVE-2026-24061 specifically threatens:

  • Legacy Unix and Linux servers running older GNU InetUtils packages
  • Embedded systems and IoT devices that ship with telnetd enabled for management access
  • Network appliances (routers, switches, firewalls) from vendors who bundled GNU InetUtils
  • Operational Technology (OT) and Industrial Control Systems (ICS) infrastructure where legacy protocols remain common
  • Any system running GNU InetUtils telnetd 1.9.3 through 2.7-2, including the telnetd package on Debian, Ubuntu, and derivative distributions

Remediation and Mitigation

Organizations should treat this vulnerability as requiring immediate action given confirmed active exploitation. The recommended remediation steps are straightforward:

  • Upgrade GNU InetUtils: Patch to a version beyond 2.7-2 that includes the upstream sanitization fix. On Debian/Ubuntu systems, apt upgrade inetutils-telnetd will pull the patched package once it reaches your distribution's repository.
  • Disable Telnet entirely: Where Telnet is not strictly required, disable and remove telnetd immediately. SSH is the appropriate replacement for all remote access use cases.
  • Block port 23 at the perimeter: Firewall rules should prevent inbound connections to TCP port 23 from untrusted networks as an immediate containment measure.
  • Audit exposed services: Use network scanning to identify any internal or external hosts running Telnet services. Shodan and similar tools can assist in identifying internet-facing exposure.
  • Apply CISA KEV guidance: Federal agencies and CISA-aligned organizations should follow the KEV catalog remediation deadlines for CVE-2026-24061.

Conclusion

CVE-2026-24061 is a stark reminder that legacy protocol debt carries real, critical-severity consequences. A single unsanitized environment variable introduced in a 2015 commit silently enabled unauthenticated root access for over a decade across hundreds of thousands of devices globally. The exploitation barrier is essentially zero — a one-liner from any standard Telnet client is all it takes.

If your environment has any systems running GNU InetUtils telnetd, treat this as a fire drill: patch or remove the service today, block port 23 at the network boundary, and verify your exposure via active scanning. With public proof-of-concept code circulating and confirmed exploitation by active threat groups, the window for remediation before compromise is already closing.