Hackers exploit critical telnetd auth bypass flaw to get root

News

Featured
Latest

Curl ending bug bounty program after flood of AI slop reports

INC ransomware opsec fail allowed data recovery for 12 US orgs

Cisco fixes Unified Communications RCE zero day exploited in attacks

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

US to deport Venezuelans who emptied bank ATMs using malware

Hackers exploit critical telnetd auth bypass flaw to get root

What an AI-Written Honeypot Taught Us About Trusting Machines

Microsoft: Outlook for iOS crashes, freezes due to coding error

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers exploit critical telnetd auth bypass flaw to get root

Hackers exploit critical telnetd auth bypass flaw to get root

By Bill Toulas

January 23, 2026
11:21 AM
0

A coordinated campaign has been observed targeting a recently disclosed critical-severity vulnerability that has been present in the GNU InetUtils telnetd server for 11 years.
The security issue is tracked as CVE-2026-24061 and was reported on January 20. It is trivial to leverage and multiple exploit examples are publicly available.
Bug persisted since 2015
Open-source contributor Simon Josefsson explains that the telnetd component of GNU InetUtils contains a remote-authentication bypass vulnerability caused by unsanitized environment variable handling when spawning ‘/usr/bin/login.’

The flaw occurs because telnetd passes the user-controlled USER environment variable directly to login(1) without sanitization. By setting USER to -f root and connecting with the telnet -a command, an attacker can skip authentication and obtain root access.
The issue affects GNU InetUtils versions 1.9.3 (released in 2015) through 2.7, and was patched in version 2.8. For those who cannot upgrade to the safe release, mitigation strategies include disabling the telnetd service or blocking TCP port 23 on all firewalls.
GNU InetUtils is a collection of classic network client and server tools (telnet/telnetd, ftp/ftpd, rsh/rshd, ping, traceroute) maintained by the GNU Project, and used across multiple Linux distributions.
Although Telnet is an insecure, legacy component largely replaced by SSH, many Linux and Unix systems still include it for compatibility or specialized usage needs. It is particularly prevalent in the industrial sector because of its simplicity and low overhead.
On legacy and embedded devices, it can run without updates for more than a decade, explaining its presence in IoT devices, cameras, industrial sensors, and Operational Technology (OT) networks.
More technical users still rely on telnet for some projects:

telnet still used to connect to old devices
Another user confirmed the use of telnet "to connect to older Cisco devices that are way past “End of Life.”  Same SSH issue."
However, devices exposed on the public internet that still have telnet active are scarce, prompting many researchers to describe the CVE-2026-24061 vulnerability as less critical.
Threat monitoring firm GreyNoise reports that it has detected real-world exploitation activity leveraging CVE-2026-24061 against a small number of vulnerable endpoints.
The activity, logged between January 21 and 22, originated from 18 unique attacker IPs across 60 Telnet sessions, all deemed 100% malicious, sending 1,525 packets totaling 101.6 KB.

Observed activitySource: GreyNoise
The attacks abuse the Telnet IAC option negotiation to inject ‘USER=-f <user>’ and grant shell access without authentication. GreyNoise says most of the activity appears automated, although it noted a few “human-at-keyboard” cases.
The attacks varied in terminal speed, type, and X11 DISPLAY values, but in 83.3% of the cases, they targeted the ‘root’ user.
In the post-exploitation phase, the attackers conducted automated reconnaissance and attempted to persist SSH keys and deploy Python malware. GreyNoise reports that these attempts failed on the observed systems due to missing binaries or directories.
While the exploitation activity appears limited in scope and success, potentially impacted systems should be patched or hardened as per the recommendations before the attackers optimize their attack chains.

7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Download Now

Related Articles:
SmarterMail auth bypass flaw now exploited to hijack admin accountsHackers exploit Modular DS WordPress plugin flaw for admin accessHackers exploit authentication bypass in Palo Alto Networks PAN-OSHackers exploit newly patched Fortinet auth bypass flawsFortinet confirms critical FortiCloud auth bypass not fully patched

Actively Exploited
Authentication Bypass
Open Source
Telnet
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Overdue a password health-check? Audit your Active Directory for free

Identity Governance & Threat Detection in one: Get a guided tour of our platform

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers Exploit Critical Telnetd Auth Bypass Flaw to Gain Root Access

A coordinated campaign has emerged targeting a longstanding, critical-severity vulnerability present in the GNU InetUtils telnetd server since 2015. Tracked as CVE-2026-24061, this vulnerability was publicly disclosed on January 20, 2026, and swiftly leveraged by malicious actors. The flaw stems from a remote-authentication bypass within the GNU InetUtils component, specifically related to the unsanitized handling of environment variables when spawning the `/usr/bin/login` command.

The core issue lies in telnetd’s direct passage of the user-controlled `USER` environment variable to the `login(1)` command, without any sanitization. Attackers can exploit this by setting the `USER` variable to `-f root` and utilizing the telnet -a command to bypass authentication and gain root access. Affected versions of GNU InetUtils range from 1.9.3 (released in 2015) through 2.7, with version 2.8 providing a remediation. Users unable to upgrade can mitigate the risk by disabling the telnetd service or implementing TCP port 23 blocking across all firewalls.

GNU InetUtils is a collection of classic network client and server tools, including telnet/telnetd, ftp/ftpd, rsh/rshd, ping, and traceroute. Maintained by the GNU Project, it’s found across various Linux distributions and remains prevalent due to its simplicity and low overhead. Despite telnet being an inherently insecure legacy component largely replaced by SSH, its presence persists, particularly in the industrial sector, driven by its ease of use.

The vulnerability is amplified by the continued use of telnet on legacy and embedded devices, sometimes untouched for over a decade. This includes IoT devices, cameras, and industrial sensors within Operational Technology (OT) networks – scenarios where updates are infrequent. Furthermore, continued reliance on telnet for specific projects – such as connecting to older Cisco devices beyond their end-of-life – highlights the vulnerability.

GreyNoise, a threat monitoring firm, has confirmed real-world exploitation activity leveraging CVE-2026-24061, observed between January 21 and 22. The activity involved 18 unique attacker IPs across 60 Telnet sessions, flagged as 100% malicious, transmitting 1,525 packets totaling 101.6 KB. Initial investigations suggest an automated nature to much of the activity, though some instances of “human-at-keyboard” manipulation were noted.

The attacks deployed the Telnet IAC option negotiation to inject `USER=-f <user>` and grant shell access without authentication. Observations revealed that, in 83.3% of cases, the attacks targeted the `root` user. Post-exploitation, the attackers engaged in automated reconnaissance and attempted to persist SSH keys and deploy Python malware. These attempts ultimately failed due to missing binaries or directories on the targeted systems.

Despite the seemingly limited scope and success rate of the exploitation activity, mitigation strategies as recommended remain crucial. The rapid disclosure and practical exploitation underscore the ongoing need for vigilance, particularly within environments relying on legacy systems or OT networks.