The disclosed vulnerability CVE-2026-24061 affects the telnet daemon (telnetd) component of GNU InetUtils versions 1.9.3 through 2.7. The flaw arises from telnetd's unsafe handling of the USER environment variable received from the client. Specifically, telnetd passes the USER variable directly as the last argument to the /usr/bin/login program, which runs with root privileges. The login program accepts a '-f' flag that allows it to bypass normal authentication and log in a specified user directly. An attacker can exploit this by sending a USER environment variable with the value '-f root' combined with the telnet client’s '-a' or '--login' option to forward this environment variable. This causes login to interpret the '-f root' parameter and grant root access without any password verification. The vulnerability was introduced in a 2015 code commit and remained unnoticed for nearly 11 years. Although no confirmed exploits are publicly available, threat intelligence data shows scanning activity from IPs in multiple countries attempting to leverage this flaw. The vulnerability is rated 9.8/10 on CVSS by NIST, indicating critical severity. Mitigations include patching telnetd once updates are released, restricting telnet access to trusted networks, disabling telnetd entirely, or replacing the login binary with a version that does not accept the '-f' parameter. The flaw affects any system running vulnerable GNU InetUtils telnetd, which is common in some Linux distributions and embedded systems. Due to telnet’s legacy status and frequent exposure on internal networks, the risk of lateral movement and privilege escalation is significant if exploited.

For European organizations, this vulnerability poses a severe risk of unauthorized root access on systems running vulnerable GNU InetUtils telnetd versions. Successful exploitation allows attackers to bypass all authentication controls remotely, leading to full system compromise. This can result in data breaches, disruption of critical services, and potential deployment of ransomware or other malware. Sectors such as government, finance, telecommunications, and critical infrastructure that rely on legacy Linux systems or embedded devices with telnetd are particularly at risk. The ease of exploitation without user interaction or credentials increases the likelihood of rapid compromise once the vulnerability is known. Additionally, the presence of scanning activity from multiple countries indicates active interest by threat actors, raising the urgency for European entities to respond. The impact extends beyond confidentiality to integrity and availability, as attackers with root access can manipulate or destroy data and disrupt operations. The vulnerability also facilitates lateral movement within networks, potentially compromising broader enterprise environments.

1. Immediately audit all systems for the presence of GNU InetUtils telnetd versions 1.9.3 through 2.7 and identify exposed telnet services. 2. Restrict network access to the telnet port (TCP 23) using firewalls and network segmentation to allow only trusted hosts or disable telnet access entirely where possible. 3. Disable the telnetd service on all systems unless absolutely necessary; replace telnet with more secure alternatives such as SSH. 4. Apply patches or updates from GNU InetUtils maintainers as soon as they become available to fix the vulnerability. 5. As a temporary workaround, replace the /usr/bin/login binary used by telnetd with a custom version that rejects the '-f' parameter or sanitize the USER environment variable before passing it to login. 6. Monitor network traffic and logs for unusual telnet connection attempts or environment variable anomalies indicative of exploitation attempts. 7. Conduct internal vulnerability scans and penetration tests to verify that no systems remain vulnerable. 8. Educate system administrators about the risks of legacy protocols like telnet and encourage migration to secure protocols. 9. Implement robust endpoint detection and response (EDR) solutions to detect suspicious activity related to privilege escalation or unauthorized root access.