A Potent Threat Resurfaces: Critical Telnetd Vulnerability Exploited Across Systems
A recently disclosed critical-severity vulnerability, CVE-2026-24061, has been exploited in a coordinated campaign targeting the GNU InetUtils telnetd server. This 11-year-old flaw, which was reported on January 20, 2026, can allow attackers to bypass authentication and gain root access, posing a significant threat to systems using the affected versions of GNU InetUtils.
Understanding the Vulnerability
The vulnerability exists due to unsanitized environment variable handling when spawning /usr/bin/login in the telnetd component of GNU InetUtils. By setting the USER environment variable to -f root and connecting via telnet, an attacker can bypass authentication and obtain root access.
Implications for North East India and Beyond
Although Telnet is an insecure, legacy component largely replaced by SSH, it is still prevalent in certain sectors, including the industrial sector and on legacy devices. This is particularly true in the North East region of India, where many industrial and embedded devices may not have been updated for more than a decade.
Real-world Exploitation and Mitigation Strategies
Threat monitoring firm GreyNoise has reported real-world exploitation activity leveraging CVE-2026-24061 against a small number of vulnerable endpoints. The attacks, which originated from 18 unique attacker IPs, were automated and aimed primarily at the root user. To mitigate this threat, it is recommended to upgrade to the patched version (2.8) of GNU InetUtils, disable the telnetd service, or block TCP port 23 on all firewalls.
Looking Ahead
While the current exploitation activity appears limited in scope and success, it is crucial for potentially impacted systems to be patched or hardened as soon as possible. As attackers optimize their attack chains, the potential for widespread damage increases.