Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-24061

Published 2026-01-21
Updated 3 months ago
Vendor/s
GNU
Product/s
InetUtils
Version/s
1.9.3 > 2.7
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
9.8
/ 10
Critical
Severity Details
Base score
9.8 Critical
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-24061 is a critical 9.8 CVSS authentication bypass in GNU Inetutils telnetd. Secure your systems against remote root access exploits.

CPE

GNU logo
GNU
Product Version Start Version End (excl.) Status
inetutils 1.9.3 2.7 vulnerable
debian_linux 11.0 11.0 vulnerable

Related weakness (CWE)

CWE-88

Remediation plan

1

Apply official patches

Install the latest security updates from the GNU project or your specific Linux distribution maintainers. Ensure that the patches specifically addressing the telnetd environment variable handling (commits ccba9f7 and fd702c0) are integrated into your build.

2

Update affected systems

Identify all deployments of GNU Inetutils between versions 1.9.3 and 2.7, as well as Debian 11 systems. Upgrade these instances to a patched version or a newer release where the authentication bypass vulnerability has been remediated.

3

Restrict access

Disable the telnet service (TCP port 23) entirely in favor of encrypted protocols like SSH. If telnet must remain active for legacy reasons, implement strict firewall rules or Access Control Lists (ACLs) to limit access to known, trusted management IP addresses.

4

Monitor for exploitation

Audit system and authentication logs for telnet sessions that bypass standard login prompts. Specifically, look for log entries or network captures containing the string '-f root' or other command-line flags within the USER environment variable negotiation.

Detection Guidance

Detecting this vulnerability requires monitoring Telnet protocol negotiation for the 'NEW-ENVIRON' option (RFC 1572). Look for network signatures where the USER variable is set to values starting with '-f'. Additionally, monitor system logs for successful root logins via telnetd that do not have corresponding successful password authentication events, which may indicate a successful bypass.

References

https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc Patch https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b Patch https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html Mitigation Vendor Advisory https://www.gnu.org/software/inetutils/ Product https://www.openwall.com/lists/oss-security/2026/01/20/2 Mailing List https://www.openwall.com/lists/oss-security/2026/01/20/8 Mailing List https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package Mitigation Third Party Advisory http://www.openwall.com/lists/oss-security/2026/01/22/1 Mailing List https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html Mailing List Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061 US Government Resource https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html Exploit Third Party Advisory https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER=' Mailing List Third Party Advisory

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial