Telnet Strikes Back: GNU Inetutils Root Authentication Bypass
Vulnerability ID: CVE-2026-24061 CVSS Score: 9.8 Published: 2026-01-21
A critical argument injection vulnerability in GNU Inetutils telnetd allows unauthenticated remote attackers to gain full root access by manipulating the USER environment variable.
TL;DR
It is 2026, and we are still getting root shells via Telnet. By setting the ‘USER’ environment variable to ‘-f root’ during the initial handshake, an attacker can trick the remote telnet daemon into executing the system ‘login’ binary with the ‘-f’ (force) flag. This bypasses authentication entirely, dropping the attacker into a root shell. If you are running GNU Inetutils telnetd (1.9.3 to 2.7), you are vulnerable.
⚠️ Exploit…
Telnet Strikes Back: GNU Inetutils Root Authentication Bypass
Vulnerability ID: CVE-2026-24061 CVSS Score: 9.8 Published: 2026-01-21
A critical argument injection vulnerability in GNU Inetutils telnetd allows unauthenticated remote attackers to gain full root access by manipulating the USER environment variable.
TL;DR
It is 2026, and we are still getting root shells via Telnet. By setting the ‘USER’ environment variable to ‘-f root’ during the initial handshake, an attacker can trick the remote telnet daemon into executing the system ‘login’ binary with the ‘-f’ (force) flag. This bypasses authentication entirely, dropping the attacker into a root shell. If you are running GNU Inetutils telnetd (1.9.3 to 2.7), you are vulnerable.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-88 (Argument Injection)
- CVSS v3.1: 9.8 (Critical)
- Attack Vector: Network (TCP/23)
- Privileges Required: None
- EPSS Score: 0.00362 (Rising)
- Exploit Status: Proof of Concept Available
Affected Systems
- GNU Inetutils telnetd 1.9.3
- GNU Inetutils telnetd 1.9.4
- GNU Inetutils telnetd 2.0 - 2.7
- Linux distributions using GNU inetutils (e.g., older Debian, Arch, Gentoo profiles)
- Inetutils: >= 1.9.3, <= 2.7 (Fixed in:
2.8)
Code Analysis
Commit: fd702c0
telnetd: Fix -f root authentication bypass.
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -25,7 +25,7 @@
case 'U':
- return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
+ { char *u = getenv("USER"); return (u && *u != '-') ? xstrdup(u) : xstrdup(""); }
Exploit Details
- NCSC-NL: Detailed advisory outlining the USER environment variable injection.
- OSS-Security: Original disclosure thread.
Mitigation Strategies
- Disable telnetd service immediately.
- Block TCP port 23 on all firewalls.
- Use SSH alternatives.
Remediation Steps:
- Update GNU Inetutils to version 2.8 or later.
- If updating is impossible, backport commit fd702c02 and ccba9f74.
- Verify /bin/login configuration to ensure it handles ‘–’ delimiters correctly.
References
Read the full report for CVE-2026-24061 on our website for more details including interactive diagrams and full exploit analysis.