CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass
Publication date: 2026-01-21
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| gnu | inetutils | From 1.9.3 (inc) to 2.7 (inc) |
| debian | debian_linux | 11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24061 is a remote authentication bypass vulnerability in the telnetd daemon of GNU InetUtils versions 1.9.3 through 2.7. The issue arises because telnetd improperly handles the USER environment variable passed from the telnet client. Specifically, if an attacker sets the USER variable to a special value like '-f root', telnetd passes this directly to the login program, which interprets '-f root' as a command to bypass authentication and log in directly as root. This lack of sanitization allows an attacker to gain root access remotely without providing valid credentials. [2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication remotely and gain root-level access on the affected system running telnetd from GNU InetUtils. This means an attacker can fully control the system without needing valid login credentials, potentially leading to complete system compromise, unauthorized data access, and further exploitation. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your system is running GNU InetUtils telnetd versions 1.9.3 through 2.7, which are known to be vulnerable. Additionally, testing for the vulnerability can be done by attempting to connect to the telnetd server with a USER environment variable set to '-f root' using the telnet client with the '-a' or '--login' option. For example, on a vulnerable system, setting USER='-f root' and running 'telnet -a localhost' would result in a root login without authentication. To check the version of inetutils-telnetd installed, you can use commands like 'telnetd --version' or check the package version via your package manager (e.g., 'dpkg -l | grep inetutils-telnetd' on Debian-based systems). [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid running the telnetd server if possible. 2) Restrict network access to the telnet port to trusted clients only. 3) Apply patches that sanitize the USER environment variable and other variables used in the login command line expansion. 4) Upgrade to a version of GNU InetUtils that includes the fix for this vulnerability. 5) As a workaround, disable telnetd or configure it to use a custom login program that disallows the '-f' parameter. These steps help prevent remote authentication bypass via the USER environment variable. [3]