CVE-2026-24061: GNU InetUtils Telnetd Remote Authentication Bypass

Summary

CVE-2026-24061 is a remote authentication bypass in GNU InetUtils telnetd affecting versions 1.9.3 through 2.7. An unauthenticated attacker can supply a specially crafted USER environment variable and pass it through a telnet client using the -a or –login options, enabling a login that results in root-level access. The issue is rated CVSS 9.8. The scope is limited to GNU InetUtils telnetd (up to 2.7); other telnetd implementations (including Cisco IOS, Microsoft, Netkit, and BusyBox) are not impacted. Successful exploitation enables remote access and can also be used to achieve local privilege escalation to root. The safest mitigation is to identify and disable Telnet entirely network restrictions may reduce exposure, but only removing the service eliminates the local root escalation risk.

Investigation

NSFOCUS CERT determined that telnetd does not correctly validate the USER environment variable supplied by the client. By abusing this validation weakness, an attacker can bypass standard authentication logic and obtain root access on vulnerable Linux/Unix hosts running the affected daemon.

Mitigation

A vendor fix is available for GNU InetUtils; impacted systems should upgrade to a patched release. If patching cannot be completed immediately, disable telnetd and migrate to SSH. Additional interim hardening includes configuring telnetd to use a custom login wrapper and disabling or preventing use of the -f parameter where applicable.

Response

Identify systems running telnetd, and monitor for telnet sessions invoked with -a or –login, especially when remote attempts to set the USER environment variable are observed. Prioritize patch deployment, disable telnetd wherever feasible, and enforce encrypted remote administration protocols to prevent re-exploitation.