Active exploitation of a critical authentication bypass vulnerability in the GNU InetUtils telnetd server (CVE-2026-24061) has been observed in the wild, allowing unauthenticated attackers to gain root access to Linux systems.
The vulnerability, which affects GNU InetUtils versions 1.9.3 through 2.7, enables remote code execution by manipulating the USER environment variable passed during the Telnet negotiation phase.
Grey Noise has detected a coordinated exploitation campaign targeting Telnet services (TCP/23) using the telnetd -f authentication bypass flaw.
The attack leverages a command injection vulnerability where the Telnet daemon passes an unsanitized USER environment variable to the /usr/bin/login binary. By supplying the value -f root, attackers force the login program to treat the session as pre-authenticated, bypassing all credential checks and granting an immediate root shell.
Recent analysis of honeypot traffic has captured 60 unique exploitation attempts from 18 distinct source IP addresses. These attacks range from opportunistic scanning to targeted persistence mechanisms, including SSH key injection and malware deployment.
telnetd Vulnerability CVE-2026-24061
The vulnerability resides in the way telnetd invokes the login program. Typically, telnetd executes /usr/bin/login (running as root) and passes the client-supplied USER variable as the final argument.
The exploitation flow proceeds as follows:
- Negotiation: The attacker initiates a Telnet connection and sends a malicious ENVIRON variable.
- Injection: The USER variable is set to -f root.
- Execution: telnetd executes login -p -h
-f root . - Bypass: The -f flag instructs login to skip authentication for the specified user (root), granting a shell.
Analysis of captured attack traffic reveals distinct patterns in attacker behavior. The most prolific source, 178.16.53[.]82, accounted for 12 sessions targeting 10 unique systems, utilizing a consistent payload configuration (9600 baud, XTERM-256COLOR).
Attackers are employing diverse payload configurations to evade simple signature detection:
- Terminal Speed: 38400 baud and 9600 baud are common, though some attacks negotiate 0,0 (no speed).
- Terminal Type: Payloads vary between standard XTERM-256COLOR, compatibility mode xterm-256color, and generic UNKNOWN types.
- Target Users: While root is the primary target (83% of attempts), probes for nobody, daemon, and randomized users like nonexistent123 have been observed.
Upon gaining access, attackers immediately execute reconnaissance commands (uname -a, id, cat /etc/passwd) often wrapped in delimiters (e.g., S…EU…blah) for automated parsing by C2 infrastructure.
More advanced actors attempt to establish persistence. One campaign from 216.106.186[.]24 attempted to append a 3072-bit RSA key to ~/.ssh/authorized_keys. This same actor also attempted to fetch a second-stage Python payload (apps[.]py) from a distribution server, indicating a potential botnet recruitment drive.
| CVE ID | Severity | CVSS Score | Affected Versions |
|---|---|---|---|
| CVE-2026-24061 | Critical | 9.8 (Critical) | GNU InetUtils 1.9.3 – 2.7 |
Indicators of Compromise (IOCs)
| Indicator Type | Value | Context |
|---|---|---|
| Attacker IP | 178.16.53[.]82 | Top source (12 sessions), Reconnaissance |
| Attacker IP | 216.106.186[.]24 | SSH Key Injection, Malware Download |
| Attacker IP | 67.220.95[.]16 | Malware Distribution, Exploitation |
| Attacker IP | 156.238.237[.]103 | Confirmed Root Access (IDS Alert) |
| Malware URL | http://67.220.95[.]16:8000/apps.py | Python Payload Delivery |
| File Name | apps[.]py | Second-stage payload |
| SSH Key Comment | [email protected][.]hosting | Associated with persistence attempts |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
