CVE-2026-24061 – GNU InetUtils telnetd Argument Injection Authentication Bypass

Vendor Description: –

GNU InetUtils is a collection of standard network utilities that provide basic client and server functionality for TCP/IP communication on Unix-like operating systems. It includes commonly used tools such as telnet, ftp, ping, traceroute, and related network services. These utilities are designed as free and open-source replacements for traditional BSD networking tools. GNU InetUtils is often used in Linux environments for testing, debugging, and maintaining network connectivity. While functional, some components are considered legacy and may pose security risks if exposed to untrusted networks.

CVE-2026-24061 Description:-

CVE-2026-24061 is a critical authentication bypass vulnerability in the GNU telnetd service from GNU InetUtils, affecting versions up to 2.7-2, allowing attackers to gain unauthorized access without valid credentials. The root cause stems from a 2015 commit in telnetd.c that introduced a “%U” placeholder in the “login_invocation” string, which expands to the user-controlled “USER” environment variable during Telnet negotiation; this variable is set via Telnet SUBOPTION packets and substitutes directly into the command line for /usr/bin/login in the start_login function within pty.c. By crafting the USER variable to include the “-f” flag (e.g., “root -f”), attackers bypass interactive authentication, as login interprets it as a non-interactive login option, directly spawning a root shell and enabling remote code execution (RCE).

Further analysis revealed broader impact: attackers can set arbitrary environment variables like PATH for telnetd processes and their children (including login), as these inherit via Linux defaults, potentially poisoning execution paths or other behaviors during sessions. The flaw’s simplicity, CVSS score of 9.8, and presence on ~212k Shodan-detected Telnet servers or 1M Censys port 23 listeners underscore its high risk for initial access on exposed legacy systems

Impacts

• Enables remote authentication bypass over networks with low complexity and no privileges, granting attackers full root shell access via simple Telnet connections.
• Exposes high confidentiality, integrity, and availability risks (CVSS 9.8), allowing data theft, system modification, or denial of service on vulnerable devices.
• Facilitates initial access pivots in networks, especially legacy Unix/Linux systems, embedded IoT, network appliances, and OT infrastructure still running Telnet.
• Permits arbitrary environment variable control (e.g., PATH, LD_PRELOAD), enabling child process poisoning, dynamic linker hijacks, or further exploits in login sessions.​
• Affects ~212k exposed Telnet servers (Shodan) or 1M port 23 listeners (Censys), amplifying widespread RCE potential in unpatched, long-lived devices.

Mitigations

• Update GNU InetUtils telnetd to version 2.8 or later (or distro-patched equivalents like “sanitize-expansions” fixes) to block USER variable injections.
• Disable Telnet entirely and migrate to SSH for all remote access, as Telnet is insecure by design.
• Restrict Telnet exposure via firewalls, VPNs, or IP whitelisting; never allow public internet access to port 23.
• Monitor logs for suspicious /usr/bin/login executions with “-f” flags from telnetd processes to detect exploitation attempts.​
• Conduct asset scans (e.g., Shodan/Censys) and patch management audits for legacy systems, prioritizing embedded/OT devices.