A 27-year-old Telnet vulnerability gives attackers root access.

Telnet, which is 27 years old, gives attackers root access. A recently discovered flaw in the GNU telnet daemon (telnetd) A 27-year-old security vulnerability in Inetutils has been brought back to life, enabling attackers to obtain root access without the need for authentication by taking advantage of improper sanitization of environment variables. The vulnerability, known as CVE-2026-24061, affects GNU Inetutils up to version 2.7 and allows remote authentication to be circumvented when a malicious client sets the value for the USER environment variable to "-f root."

A more thorough examination of whether the ghost of CVE-1999-0073, a 1999 vulnerability that allowed attackers to inject environment variables like LD_LIBRARY_PATH to subvert system libraries, still haunts contemporary telnet implementations was spurred by this discovery, which was reported by security researcher Ron Ben Yizhak. The way telnetd launches /bin/login is the main issue.

The Linux kernel sets AT_SECURE to 0 in the process's auxiliary vector since both processes operate in a root-to-root environment. Find out more Software for detecting threats Secure coding practices training Reports on threat intelligence When this value is positive, it is crucial because AT_SECURE instructs glibc and the dynamic linker (ld-linux.so) to switch to secure-execution mode, which automatically eliminates or neutralizes hazardous environment variables like LD_LIBRARY_PATH, GCONV_PATH, and others. When AT_SECURE is set to zero, the dynamic linker views the session as fully trusted, allowing a telnet client to pass any environment variable without any limitations.

This places all of the responsibility for sanitization on telnetd, which it is unable to fulfill. Unsetenv ("CREDENTIALS_DIRECTORY") was added in a recent commit (4db2f19f) to partially solve the issue, but the solution is still dangerously incomplete.

Currently, Telnetd filters by prefix or full variable name in an effort to block harmful variables using a blacklist technique. This is not enough, according to researchers. Through the telnet protocol, an attacker can directly inject the glibc variable GCONV_PATH as well as GNU gettext-specific variables like OUTPUT_CHARSET and LANGUAGE.

An attacker can trick gettext into calling iconv_open() by declaring a character set mismatch (for example, injecting ISO-8859-1 against a UTF-8 system). Iconv_open() loads arbitrary shared objects as root after blindly following the attacker-supplied GCONV_PATH to find a custom gconv-modules file because AT_SECURE is set to 0.

Telnet Vulnerability PoC that is 27 years old In Justin Swartz's proof of concept, a low-privileged local user (abuser) loaded a malicious shared library (libcash2trash.so) by injecting environment variables through a regular telnet session. Gettext started the exploit chain when /bin/login tried to show a localized prompt. Before the connection was lost, the payload silently copied /bin/sh with SUID/SGID permissions.

Learn more DDoS defense Internet of Things security equipment Platform for threat intelligence The resultant binary gave the unprivileged user full root privileges by running with euid=0 (root) and egid=0 (root). There was no need for or performance of telnetd authentication. Researchers suggest consolidating a single CVE for “Improper environment sanitization in telnetd” to cover both the CREDENTIALS_DIRECTORY vector and this dynamic linker escape comprehensively.

The suggested remediation completely abandons the faulty blacklist model. The only dependable long-term solution, according to the OpenSSH AcceptEnv-style methodology, is to create a rigorous whitelist of safe environment variable names for /bin/login and perform stringent input sanitization on their values. It is recommended that organizations that are still using telnet services switch to SSH and disable telnetd right away.

When telnet is unavoidable, upgrading GNU Until a comprehensive patch is released, it is crucial to use Inetutils and implement stringent network-level access controls. X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.