Cyber Resilience

CVE-2026-24061

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
11 February 2026
KEV Added
26 January 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9887 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-24061 is a critical-severity Argument Injection (CWE-88) vulnerability in Gnu Inetutils. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24061 is a high-severity vulnerability (CVSS 9.8) in the telnetd daemon of GNU Inetutils versions through 2.7, stemming from CWE-88 (improper neutralization of argument delimiters). It enables remote authentication bypass by setting the USER environment variable to "-f root", allowing attackers to circumvent login credentials without proper validation of the input.

Any unauthenticated remote attacker with network access to the telnetd service can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact privileges, potentially including root-level access, resulting in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) on the affected system.

Mitigation involves applying patches from upstream commits, such as ccba9f748aa8d50a38d7748e2e60362edd6a32cc and fd702c02497b2f398e739e3119bed0b23dd7aa7b on Codeberg, which address the authentication flaw. Advisories on GNU bug-inetutils and oss-security mailing lists detail the issue and fixes, with further details available on the GNU Inetutils project page; security practitioners should upgrade to versions beyond 2.7 and disable telnetd where possible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

CWE(s)
KEV Date Added
26 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of the telnetd daemon via argument injection for authentication bypass, granting root access. This directly maps to T1190 (public-facing service exploit), T1210 (remote service exploitation), and T1068 (privilege escalation via exploit).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2025-27363Same product: Debian Debian Linuxboth on KEV
CVE-2026-32746Same product: Gnu Inetutils
CVE-2026-28372Same product: Gnu Inetutils
CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2023-5631Same product: Debian Debian Linuxboth on KEV
CVE-2025-48384Same product: Debian Debian Linuxboth on KEV
CVE-2025-62799Same product: Debian Debian Linux
CVE-2025-68615Same product: Debian Debian Linux
CVE-2025-41244Same product: Debian Debian Linuxboth on KEV

Affected Assets

gnu
inetutils
1.9.3 — 2.7
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the authentication bypass flaw in telnetd by identifying, reporting, and applying patches from upstream commits.

prevent

Requires validation of inputs such as the USER environment variable to neutralize argument delimiters and prevent authentication bypass via CWE-88.

prevent

Prohibits or restricts unnecessary insecure services like telnetd to eliminate exposure to this remote authentication bypass vulnerability.

References