About 800,000 internet-accessible Telnet instances are vulnerable to unauthenticated remote code execution (RCE) due to a critical authentication bypass vulnerability in the telnetd component of GNU Inetutils This article explores injection vulnerability telnetd. . The vulnerability, which has a CVSS score of 9.8 and is tracked as CVE-2026-24061, puts exposed infrastructure globally at serious risk by enabling attackers to obtain root-level access without legitimate credentials.

Details of the Vulnerability An argument injection vulnerability in telnetd versions 1.9.3 through 2.7 is the source of the vulnerability. Attackers can inject the string "-f root" and completely avoid authentication because the telnetd server neglects to sanitize the USER environment variable before passing it to/usr/bin/login.

Learn more Consulting for computer security Exploits for penetration testing services The login process interprets the "-f" flag as a force-login parameter and automatically grants root access without running authentication checks when an attacker connects using telnet -a or –login with USER set to "-f root." A source code commit from March 2015 contained the vulnerability, which went unnoticed for almost 11 years in major Linux distributions like Debian, Ubuntu, Kali Linux, and Trisquel. Publicly available proof-of-concept exploits are being actively used in the wild.

GreyNoise captured 1,525 packets from 18 distinct attacker IPs during 60 Telnet sessions between January 21 and 22, 2026, and discovered real-world exploitation within 18 hours of the public disclosure.

Root user access was the focus of the majority of attacks (83.3%), and post-exploitation actions included system reconnaissance, SSH key persistence, and malware deployment attempts. Companies should update to GNU InetUtils version 2.8 or higher right away. Critical mitigations for systems that cannot upgrade include completely stopping the telnetd service, blocking TCP port 23 at network perimeter firewalls, and limiting Telnet access to only trusted clients.

Organizations can find exposed instances on their networks with the aid of the Shadowserver Foundation's Accessible Telnet Report. Learn more about cybersecurity Services for cloud security LinkedIn, X for daily cybersecurity updates, and ethical hacking training. To have your stories featured, get in touch with us.