GNU InetUtils telnetd Authentication Bypass Exploited in the Wild
Take action: THIS IS URGENT! Check if you are using Telnet anywhere in your network. IMMEDIATELY isolate the Telnet interface to trusted networks and patch the code. Then stop using Telnet and switch to SSH.
Learn More
A critical authentication bypass vulnerability in the GNU InetUtils telnetd service is under active attack.
The flaw is tracked as CVE-2026-24061 (CVSS score 9.8) - Remote authentication bypass in GNU InetUtils telnetd via malicious USER environment variable injection. It's trivially exploitable and affects GNU InetUtils versions 1.9.3 through 2.7 and has existed in the code since May 2015.
Threat actors began exploiting the flaw on January 20, 2026, immediately after a public proof-of-concept exploit appeared online. The bug allows attackers to gain root access to systems without a password by manipulating the USER environment variable during the telnet connection process.
A command like USER='-f root' telnet -a servername grants full control immediately.
GreyNoise Labs detected exploitation attempts within 18 hours of the vulnerability's disclosure. Their sensors identified 18 unique IP addresses launching 60 distinct attacks. Most attackers used automated tools. While 83% of attacks targeted the root account, some actors tested other usernames like "nobody" or "daemon".
Once inside, attackers ran commands to map the system. They checked kernel versions with 'uname -a,' listed user accounts with 'cat /etc/passwd,' and viewed hardware details. One specific attacker tried to install a persistent backdoor by adding an SSH key to the root account. Other actors tried to download Python scripts to turn the compromised systems into bots or crypto miners.
Security researchers at Censys found roughly 3,000 telnet services exposed to the internet that might be vulnerable.
