Hackers Exploit Critical Telnetd Authentication Bypass to Gain Root Access (CVE-2026-24061)
A newly disclosed critical vulnerability in GNU InetUtils telnetd is already being exploited in the wild, with attackers attempting automated recon, SSH key persistence, and malware delivery after gaining shell access. Tracked as CVE-2026-24061, the bug has existed since 2015 and affects InetUtils versions 1.9.3 through 2.7. For any organization that still runs Telnet on legacy Linux, embedded, or OT environments, this is a high urgency exposure problem: if TCP/23 is open, compromise can be near-instant.
What happened
Security researchers and threat monitoring teams have observed active exploitation of CVE-2026-24061, a critical flaw in the GNU InetUtils telnet daemon (telnetd). The vulnerability enables remote attackers to bypass authentication and obtain a shell as a chosen local account, most commonly root, without valid credentials.
While Telnet is widely considered a legacy protocol, it still appears in real environments:
- Industrial networks
- Embedded systems
- Lab infrastructure
- Long-lived Linux deployments where "if it still works, do not touch it" becomes the operating model
This incident is a reminder that legacy does not mean low risk. It often means high blast radius, slow patch cycles, and hard-to-replace devices.
The vulnerability in plain terms
CVSS 9.8 Critical - Unauthenticated Remote Root
The root cause is argument injection in how telnetd handles client-supplied environment variables during Telnet option negotiation. Telnetd passes the USER environment variable to the system login process without sanitizing it. The login program supports a flag that can skip normal authentication when it believes the session is pre-authenticated. An attacker can abuse this behavior remotely.
Why this is especially dangerous
| Risk Factor | Description |
|---|---|
| Unauthenticated | No credentials required to exploit |
| Network reachable | Exploitable over TCP/23 from any network position |
| Root access | Can lead directly to root shell in common configurations |
| Low complexity | Public exploit examples available, technique is straightforward |
| Long exposure window | Vulnerable code present since 2015 (versions 1.9.3+) |
Who is at risk
You should treat this as high priority if any of the following are true:
- You run GNU InetUtils telnetd, or inherited it through inetd style services
- TCP port 23 is reachable from untrusted networks (internet, partner networks, flat internal segments)
- You operate OT, ICS, or embedded environments where Telnet remains enabled for maintenance
- You rely on aging Linux images, appliance-like systems, or vendor stacks that rarely receive updates
Can an attacker reach Telnet? If yes, then the attacker uses it.
Even if you believe "nobody uses Telnet," the relevant question is different: can an attacker reach Telnet? If the answer is yes, then the attacker uses it.
What exploitation looks like in the wild
Observed activity indicates coordinated probing of Telnet services, often automated, followed by post-exploitation steps that resemble common initial access playbooks:
Post-exploitation patterns observed
| Stage | Technique |
|---|---|
| Recon | Basic host and identity discovery (system enumeration, user lists) |
| Persistence | Attempts to add SSH authorized keys for future access |
| Payload delivery | Fetching and executing additional payloads using curl, wget, or similar |
In several observed cases, follow-on steps failed due to missing utilities or directories on the target, but that is not a reliable defense. Attack chains rapidly evolve once attackers confirm a workable entry point.
Campaign metrics (GreyNoise)
| Metric | Value |
|---|---|
| Unique attacker IPs | 18 |
| Telnet sessions observed | 60 |
| Total packets | 1,525 |
Immediate mitigation and patch guidance
1) Eliminate exposure first
The safest mitigation is to disable telnetd entirely. If you must keep Telnet for operational reasons, restrict access aggressively:
- Block TCP/23 at the perimeter and between internal segments by default
- Allowlist only known admin subnets
- Put telnetd behind a VPN or zero trust access broker
- Add compensating controls such as strict monitoring and rapid isolation procedures
2) Patch using your distribution's security updates
Upstream fixes exist, but most environments consume telnetd via distribution packages. Apply the relevant inetutils updates from your distro security channel as soon as they are published for your release line.
Upstream patched version available
3) If you cannot patch
Treat the system as potentially exposed and reduce blast radius:
| Action | Implementation |
|---|---|
| Remove network reachability | Block port 23 at all network boundaries |
| Segment the asset | Dedicated management VLAN with strict ACLs |
| Implement jump hosts | Logging-enabled bastion for any required access |
| Plan decommission | Replace with SSH or vendor-supported management |
Detection and hunting: what to look for
Prioritize detection in two layers: network and host.
Network level signals
| Indicator | Priority |
|---|---|
| Any inbound Telnet traffic (TCP/23) from unexpected sources | High |
| Bursts of short-lived Telnet sessions | Medium |
| Atypical Telnet option negotiation patterns (environment variable injection) | Critical |
Host level signals
| Indicator | Priority |
|---|---|
| Unusual login events tied to telnetd or inetd initiated sessions | Critical |
| Creation or modification of ~/.ssh/authorized_keys | Critical |
| Suspicious command execution sequences right after login | High |
| Download and execution patterns (curl to python, wget to sh) | Critical |
Quick triage commands (Linux)
# Is Telnet listening?
ss -lntp | grep ':23'
# What package/version is installed (Debian/Ubuntu style)?
dpkg -l | grep inetutils
# Check for telnetd or inetd style services
ps aux | egrep 'telnetd|inetd' | grep -v grep
# Recent auth events (depends on distro)
sudo journalctl -u inetutils-inetd --since "7 days ago" 2>/dev/null
sudo grep -iE 'telnet|inetd|login' /var/log/auth.log 2>/dev/null | tail -n 200
Why this still matters in 2026: the legacy and OT reality
Security teams often discount Telnet vulnerabilities because the protocol is "obsolete." Operational teams keep Telnet because the systems are not.
The OT and embedded challenge
In OT and embedded environments, upgrades may require:
- Downtime that production cannot afford
- Reboot cycles that disrupt operations
- Recertification for regulated environments
- Vendor support that no longer exists
That mismatch is exactly what attackers exploit: a service that should be gone, but is still reachable.
The business takeaway
Eliminate legacy remote management exposure wherever possible
When you cannot eliminate exposure:
- Wrap it in hardened access controls
- Implement monitoring that assumes compromise attempts are continuous
- Plan and budget for protocol replacement or system decommission
Closing
CVE-2026-24061 is a textbook example of why legacy exposure remains a critical risk category. The vulnerability is simple, exploitation is active, and the impact is root access. If your environment includes any systems running GNU InetUtils telnetd with network reachability, treat this as an urgent action item:
- Disable telnetd where possible
- Block TCP/23 at all network boundaries
- Patch via distro security updates
- Hunt for evidence of compromise during the exposure window
The attacker does not care that Telnet is obsolete. They care that it is reachable.
Frequently Asked Questions
A critical authentication bypass in GNU InetUtils telnetd that can let remote attackers log in without credentials by abusing unsanitized environment variable handling passed to the system login process.
No. It specifically impacts GNU InetUtils telnetd within affected versions. However, many systems ship with it or embed it indirectly, so inventory matters.
Yes. Internal reachability is still reachability. Flat networks, partner links, and compromised endpoints can turn an "internal-only" Telnet service into a rapid lateral movement path.
Disable telnetd and block TCP/23 at firewalls. If you cannot disable it, restrict access to a small allowlist and put it behind VPN or a zero trust gateway.
If Telnet was reachable from untrusted networks, you should validate logs and host telemetry for suspicious sessions, new SSH keys, and post-login command execution.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.