You are currently viewing Critical GNU InetUtils Telnetd Vulnerability Allows Authentication Bypass and Root Access

Critical GNU InetUtils Telnetd Vulnerability Allows Authentication Bypass and Root Access

  • Post author:
  • Reading time:2 mins read

The discovery of CVE-2026-24061 exposes a long-standing critical weakness in the GNU InetUtils telnet daemon (telnetd). Exploitation of this vulnerability enables remote authentication bypass and full root compromise, putting legacy and misconfigured systems at severe risk. The flaw remained undetected for nearly 11 years, affecting widely deployed GNU InetUtils versions used across Unix and Linux environments.

Vulnerability Details

Authentication Bypass Vulnerability (CVE-2026-24061)

A critical authentication bypass vulnerability tracked as CVE-2026-24061 has been identified in the GNU InetUtils telnetd service. The vulnerability carries a CVSS score of 9.8 (Critical) and affects all GNU InetUtils versions from 1.9.3 through 2.7.

According to the NIST National Vulnerability Database (NVD), “Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable.”

The flaw originates from how telnetd invokes /usr/bin/login, which typically runs with root privileges. The telnet daemon passes the value of the USER environment variable, received directly from the remote client.

The vulnerability exists due to lack of sanitization of the USER environment variable before it is passed to the login utility. The combination of trusted execution context and unsafe argument handling leads directly to unauthenticated root access.

Affected Products

  • GNU InetUtils telnetd versions 1.9.3 through 2.7

Tactics, Techniques & Procedures (TTPs)

  • TA0001 – Initial Access:
    • T1078 – Valid Accounts: Attackers exploit the telnet service to initiate a connection.
  • TA0004 – Privilege Escalation:
    • T1550 – Use Alternate Authentication Material: By providing a crafted USER environment variable, attackers bypass normal authentication and escalate their privileges to root.
  • TA0005 – Defense Evasion:
    • T1550 – Use Alternate Authentication Material: The crafted USER variable acts as an alternate authentication material, tricking the system into granting unauthorized access.

Mitigations

  • Disable telnetd entirely if Telnet is not required.
  • Restrict access to TCP port 23 using firewalls or network access controls.
  • Limit Telnet usage to trusted administrative networks only.
  • Replace or harden utility to disallow the -f parameter.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.