CVE-2026-24061

CriticalCISA KEVActive ExploitationPublic PoC

Published: 21 January 2026

Published

21 January 2026

Modified

11 February 2026

KEV Added

26 January 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.9112 99.7th percentile

Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24061 is a critical-severity Argument Injection (CWE-88) vulnerability in Gnu Inetutils. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the authentication bypass flaw in telnetd by identifying, reporting, and applying patches from upstream commits.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs such as the USER environment variable to neutralize argument delimiters and prevent authentication bypass via CWE-88.

CM-7 Least Functionality good match

prevent

Prohibits or restricts unnecessary insecure services like telnetd to eliminate exposure to this remote authentication bypass vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of the telnetd daemon via argument injection for authentication bypass, granting root access. This directly maps to T1190 (public-facing service exploit), T1210 (remote service exploitation), and T1068 (privilege escalation via exploit).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

Deeper analysisAI

CVE-2026-24061 is a high-severity vulnerability (CVSS 9.8) in the telnetd daemon of GNU Inetutils versions through 2.7, stemming from CWE-88 (improper neutralization of argument delimiters). It enables remote authentication bypass by setting the USER environment variable to "-f root", allowing attackers to circumvent login credentials without proper validation of the input.

Any unauthenticated remote attacker with network access to the telnetd service can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact privileges, potentially including root-level access, resulting in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) on the affected system.

Mitigation involves applying patches from upstream commits, such as ccba9f748aa8d50a38d7748e2e60362edd6a32cc and fd702c02497b2f398e739e3119bed0b23dd7aa7b on Codeberg, which address the authentication flaw. Advisories on GNU bug-inetutils and oss-security mailing lists detail the issue and fixes, with further details available on the GNU Inetutils project page; security practitioners should upgrade to versions beyond 2.7 and disable telnetd where possible.

Details

CWE(s): CWE-88
KEV Date Added: 26 January 2026

Affected Products

gnu

inetutils

1.9.3 — 2.7

debian

debian linux

11.0

CVEs Like This One

CVE-2025-38352Same product: Debian Debian Linuxboth on KEV

CVE-2025-27363Same product: Debian Debian Linuxboth on KEV

CVE-2026-32746Same product: Gnu Inetutils

CVE-2026-28372Same product: Gnu Inetutils

CVE-2025-24813Same product: Debian Debian Linuxboth on KEV

CVE-2025-48384Same product: Debian Debian Linuxboth on KEV

CVE-2025-62799Same product: Debian Debian Linux

CVE-2025-68615Same product: Debian Debian Linux

CVE-2025-41244Same product: Debian Debian Linuxboth on KEV

CVE-2025-24201Same product: Debian Debian Linuxboth on KEV

References

https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
Patch · cve@mitre.org
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
Patch · cve@mitre.org
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
Mitigation, Vendor Advisory · cve@mitre.org
https://www.gnu.org/software/inetutils/
Product · cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/01/20/2
Mailing List · cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/01/20/8
Mailing List · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package
Third Party Advisory · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package
Mitigation, Third Party Advisory · cve@mitre.org
http://www.openwall.com/lists/oss-security/2026/01/22/1
Mailing List · af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER='
Mailing List, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0