Summary

CVE-2026-24061 is a critical remote code execution (RCE) vulnerability affecting the GNU telnetd daemon up to version 2.7-2. The flaw enables authentication bypass by manipulating the USER environment variable during the telnet session initiation, which results in the execution of /usr/bin/login with the -f flag, effectively bypassing password authentication and granting an unauthorized root shell. This vulnerability poses a severe risk to systems exposing telnet services, particularly legacy or embedded systems where telnet remains in use despite known security deficiencies. SafeBreach Labs provided a proof-of-concept (PoC) exploit demonstrating reliable exploitation under controlled conditions, emphasizing the exploitability in real-world scenarios. CISA added the bug to its Known Exploited Vulnerabilities list on Jan. 26.

Affected Systems and/or Applications

• GNU Inetutils telnetd v1.9.3 up to and including v2.7

This vulnerability specifically affects systems using the GNU implementation of the telnet daemon, commonly found in older distributions or specialized environments where modern secure alternatives like SSH are not enforced.

Technical Details

The vulnerability arises from improper validation and sanitization of environment variables passed to the login program during telnet session setup. When a client connects to the telnet service, the daemon prepares the execution environment for /usr/bin/login. However, in vulnerable versions, an attacker can inject a crafted USER environment variable within the telnet negotiation phase.

Due to insufficient input filtering, the telnetd daemon passes this manipulated USER value to login with the -f flag, which instructs login to bypass authentication for the specified user. Since telnetd runs with elevated privileges (typically as root), this results in direct, unauthenticated access to a root shell.

The exploit does not require prior authentication or valid credentials. The PoC demonstrated by SafeBreach involves sending a specially crafted telnet option negotiation packet containing the malicious USER environment variable, triggering the vulnerable behavior. This technique leverages legacy telnet environment option negotiation (RFC 1408), which is disabled by default in many modern configurations but remains active in some deployments.

Notably, the flaw resides in the interaction between telnetd and login, rather than in either component alone, making it a logic‑level vulnerability that evades traditional input validation checks.

Mitigation

Organizations should take the following proactive steps to mitigate the risk posed by CVE‑2026‑24061:

• Patch GNU telnetd to version 2.7-2 or later, where the environment variable sanitization has been corrected to prevent unauthorized -f flag usage.
• Restrict access to the telnet port to trusted clients.
• As a temporary measure, where feasible, disable telnet daemons entirely.
• Telnet transmits credentials and data in plaintext, making it inherently insecure. Use a modern, encrypted remote login protocol like SSH.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation to identify potential threat-hunting opportunities. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable IDs:

• 296594
• 296511
• 294968

References

• https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/
• https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
• https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog