Security researchers have observed active attacks targeting a critical vulnerability in the GNU InetUtils telnetd server that remained undiscovered for more than a decade.

The flaw, tracked as CVE-2026-24061, was publicly disclosed on January 20 and is already being exploited in the wild.

The vulnerability affects the telnetd component of GNU InetUtils, a collection of classic networking tools still included in many Linux and Unix systems. According to open-source contributor Simon Josefsson, the issue allows attackers to bypass authentication and gain root access by abusing how the service handles environment variables.

The flaw exists because telnetd passes a user-controlled environment variable called USER directly to the system login process without proper sanitization. By setting the variable to “-f root” and connecting using the telnet -a option, an attacker can skip authentication entirely and gain full system privileges.

CVE-2026-24061 impacts GNU InetUtils versions 1.9.3, released in 2015, through version 2.7. The issue has been fixed in version 2.8. Systems that cannot immediately upgrade are advised to disable the telnetd service or block TCP port 23 at the firewall level.

GNU InetUtils includes legacy tools such as telnet, ftp, rsh, ping, and traceroute. While Telnet has largely been replaced by SSH due to security concerns, it is still present on many systems for compatibility reasons. This is especially true in industrial and operational technology environments where simplicity and low overhead are preferred.

Legacy and embedded systems often run unchanged for many years, making Telnet common in industrial controllers, IoT devices, cameras, sensors, and OT networks. Zerotak researcher Cristian Cornea told BleepingComputer that replacing or upgrading these systems is frequently difficult or impossible because updates require reboots or hardware changes.

READ
Nissan Confirms Employee Data Breach After Oracle PeopleSoft Zero-Day Attack

Despite Telnet’s reputation as outdated, some administrators still rely on it to manage older network equipment that no longer supports SSH. Users have confirmed continued Telnet use for accessing end-of-life Cisco devices and other legacy hardware.

Although few Telnet servers are exposed directly to the internet today, threat monitoring firm GreyNoise has detected real-world exploitation attempts. Between January 21 and 22, GreyNoise observed attacks from 18 unique IP addresses across 60 Telnet sessions, all classified as fully malicious.

The attacks used Telnet option negotiation to inject a malicious USER value and gain unauthenticated shell access. Most of the activity appeared automated, though some attacks showed signs of manual interaction. In more than 80 percent of cases, attackers attempted to access the root account.

After gaining access, the attackers performed automated reconnaissance and attempted to establish persistence by deploying SSH keys and Python-based malware. These attempts failed on the observed systems due to missing files or directories.

While the current exploitation activity appears limited and largely unsuccessful, researchers warn that attackers may refine their techniques. Organizations running vulnerable versions of GNU InetUtils are strongly advised to apply patches or disable Telnet services to prevent future compromise.


Buy ExpressVPN with PayPal or Credit Card

Advertisement