A critical remote authentication bypass vulnerability (CVE-2026-24061) has been disclosed in the GNU InetUtils telnetd server, affecting versions 1.9.3 through 2.7.
Severity level
CVSS Score: 9.8/Critical.
Description:- CVE-2026-24061 is an argument injection / authentication-bypass vulnerability in the telnetd component of GNU InetUtils. During Telnet NEW-ENVIRON negotiation, telnetd passes the attacker-controlled USER environment variable directly to the system login program without sanitization. If USER is set to -f root, login treats the session as pre‑authenticated, yielding an unauthenticated root shell. The flaw impacts GNU InetUtils 1.9.3 through 2.7 and is fixed in 2.8.
Affected Versions :-
- GNU InetUtils package 1.9.3 – 2.7.
Impact:-
Successful exploitation allows unauthenticated remote attackers to bypass login and obtain root-level command execution on the affected host.
Resolution:-
Please Upgrade GNU InetUtils to version 2.8 or later.
Mitigation:-
- If you cannot upgrade immediately.
- Disable the telnetd service.
- Restrict access to Telnet to trusted management networks only.
Reference:-
https://www.cyber.gc.ca/en/alerts-advisories/gnu-security-advisory-av26-047
https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
UIT Information Security