CVE-2026-24061

Name of the Vulnerable Software and Affected Versions GNU Inetutils versions 1.9.3 through 2.7 telnetd versions 0.17+2.5-3ubuntu4.1

Description A critical vulnerability exists in GNU Inetutils telnetd, allowing remote attackers to bypass authentication and gain root access. This is achieved by manipulating the USER environment variable, specifically by setting it to "-f root". The vulnerability stems from improper handling of this variable during the login process. Active exploitation of this flaw has been observed. Approximately 800,000 systems globally are potentially exposed. The vulnerability has been assigned CVE-2026-24061 and has a CVSS score of 9.8 (Critical). The vulnerability allows an attacker to bypass authentication and gain root access without any credentials.

Recommendations Upgrade to GNU Inetutils version 2.8 or later. Disable the telnetd service if it is not required. Restrict access to the telnetd service to trusted IP addresses. Monitor logs for anomalous login attempts.