GNU InetUtils is a collection of network utilities (including telnet/telnetd, ftp/ftpd, rsh/rshd, ping, and traceroute) used by several Linux distributions. These tools can operate for extended periods without the need for updates on legacy hardware and embedded systems.
Approximately 800,000 IP addresses monitored by analysts at the Shadowserver Foundation reveal that a critical vulnerability, identified as CVE-2026-24061, in the telnetd server component of GNU InetUtils is being actively exploited.
The security flaw allows an attacker to remotely access the target system with administrator rights, completely bypassing the authentication procedure. The vulnerability, as highlighted by Simon Josefsson , a contributor to the GNU Project, originates from the telnetd server that invokes /usr/bin/login —usually run as root—and passes the value of the USER environment variable, received from the client, as its final parameter.
When a user sends a custom USER value, such as the string “root -f”, along with the – a or –login parameters to telnet, automatic authentication as root occurs.
The fundamental problem is that the telnetd service does not initialize the USER variable before passing it to the login command, which in turn uses the -f option to bypass the standard authentication procedure.
The vulnerability CVE-2026-24061 received a CVSS score of 9.8 and affects GNU InetUtils versions 1.9.3 (released in 2015) through 2.7. The issue was fixed in version 2.8, released on January 20, 2026. Remarkably, the issue remained undetected for nearly 11 years.
The issue appeared in the code on March 19, 2015, and was included in version 1.9.3 released on May 12, 2015. On January 19, 2026, the bug was discovered by a cybersecurity researcher using the pseudonym Kyu Neushwaistein.
A few days after the CVE-2026-24061 vulnerability was disclosed, security firm GreyNoise reported detecting limited exploitation of the vulnerability in real-world attacks. Malicious activity began on January 21 (the day after the patch was released).
According to information provided by GreyNoise, a total of 21 unique IP addresses attempted to exploit the vulnerability over the past 24 hours. Several countries appear to be at the source of the attacks, including Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand .
According to experts, the attack originated from 18 IP addresses distributed across 60 Telnet sessions, exploiting the Telnet IAC options negotiation to inject USER=-f . This tactic allowed hackers to access compromised devices without any authentication.
System administrators who have difficulty updating to the correct version in a timely manner are advised to disable the vulnerable telnetd service or block TCP port 23 on all firewalls.
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation of the CVE-2026-24061 vulnerability, officially adding it to the Known Exploited Vulnerabilities (KEV) Catalog .
According to CISA, organizations must urgently apply vendor-provided mitigations or follow the guidance in Binding Operational Directive (BOD) 22-01 . In the absence of effective countermeasures, product decommissioning is recommended. The vulnerability was added to the KEV Catalog on January 26, 2026 , with a remediation deadline of February 16, 2026 , underscoring the high priority of the risk.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
