CVE-2026-24061: Critical Telnetd Flaw Grants Root Access

A critical vulnerability, assigned CVE-2026-24061, has been discovered in GNU InetUtils telnetd, the server daemon for the Telnet protocol. This flaw allows a remote attacker to completely bypass authentication and gain immediate root access to the vulnerable system.

The vulnerability stems from an argument injection flaw where the USER environment variable, supplied by the client, is passed unsanitized to the system's login program. By crafting a specific malicious payload, attackers can trick the system into logging them in as the root user without ever providing a password.

It was identified that while the vulnerability was only discovered in January 2026, it had been present in the codebase for over a decade.

In this blog, we explore the anatomy of CVE-2026-24061. We explain what GNU InetUtils telnetd is, how a 2015 patch introduced this decade-old flaw, the mechanics of the argument injection exploit, and how to safely simulate this threat using the Picus Security Validation Platform.

What is GNU InetUtils telnetd?

GNU InetUtils is a collection of common network programs and servers (daemons) maintained by the GNU Project. It includes standard utilities like ftp, rsh, rlogin, and telnet.

telnetd is the specific server component responsible for handling incoming Telnet connections. When a user connects to a server via Telnet, telnetd answers the request, establishes the connection, and then typically hands the session over to the system's /usr/bin/login program to handle the actual user authentication (username and password prompts). While Telnet has largely been replaced by SSH due to its lack of encryption, it remains in use in legacy systems, specific industrial applications, and closed internal networks.

When Do Good Intentions Go Wrong: How Was CVE-2026-24061 Created?

The critical security flaw identified as CVE-2026-24061 did not originate from malicious intent, but rather from a well-meaning attempt to improve user experience more than a decade ago. The issue traces back to late 2014, when a usability bug was reported regarding the GNU inetutils telnet daemon (telnetd).

In December 2014, a discussion began on the project's mailing list where a user reported that telnetd was not correctly handling the username provided by the client. Even when a user supplied their login name during the initial connection (via the -l option), the server would ignore it and prompt for the username again. This behavior was flagged as a regression or annoyance that needed fixing. Below is the user message about the problem [1]:

Below is the developer’s response message about the problem [2]:

Below are the code changes the developer made [3]:

To address the problem, the developer proposed a solution that involved passing the USER environment variable, received from the client, directly to the underlying /usr/bin/login program. By March 2015, a patch was finalized, which modified the login_invocation string in the source code. The update introduced a new placeholder (%U) to inject the content of the USER variable into the command line arguments executed by the system. But this was a critical mistake that caused the vulnerability.

How Does the CVE-2026-24061 in GNU InetUtils telnetd Work?

The vulnerability exploits the interaction between the telnetd daemon and the system's login binary (/usr/bin/login). Under normal operations, when a user connects, telnetd constructs a command to execute the login program. Because of the 2015 patch, this command construction includes the value of the USER environment variable, which is controlled by the connecting client.

The core issue is that telnetd trusts this input blindly. It takes the string provided in the USER variable and appends it directly to the arguments passed to login.

An attacker can exploit this by setting their USER environment variable to a string containing command-line flags rather than a username. The most devastating payload is -f root.

When telnetd receives this variable, it constructs the execution command for the login program. Instead of a harmless username, the command ends up looking something like this:

This injection triggers a specific feature in the login utility. The -f flag tells the login program that the user has already been authenticated. It stands for "force" or "pre-authenticated." By appending root immediately after the flag, the attacker instructs login to skip the password prompt entirely and log in the session directly as the root user.

Because telnetd runs with root privileges (to bind to the network port and spawn processes), the login program inherits these privileges and honors the -f request. The result is that the attacker is instantly dropped into a root shell without ever guessing or typing a password.

The attack requires no special tools; it can be executed using a standard Telnet client by simply manipulating environment variables before the connection is initiated:

The -a flag stands for automatic login. It instructs the Telnet client to automatically send the content of your local USER environment variable to the server during the connection handshake. In this exploit, this is important because it ensures the malicious payload (-f root) is actually transmitted to the vulnerable server.

How Picus Helps Simulate GNU InetUtils telnetd CVE-2026-24061 Attacks?

We also strongly suggest simulating the GNU InetUtils telnetd CVE-2026-24061 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for GNU InetUtils telnetd CVE-2026-24061 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• CVE-2026-24061 is a critical vulnerability in the GNU InetUtils telnetd server daemon that allows remote attackers to bypass authentication and gain immediate root access.
• The flaw is an argument injection vulnerability caused by passing the client-supplied USER environment variable unsanitized directly to the system login program.
• The vulnerability was accidentally introduced in a March 2015 patch designed to improve user experience by fixing an auto-login bug.
• Attackers can exploit the flaw without special tools by manipulating their USER environment variable to "-f root" and initiating a connection with the automatic login flag.
• The injected "-f root" payload forces the login utility to treat the session as pre-authenticated, instantly granting a root shell without a password.
• Discovered in January 2026, this vulnerability was present in the codebase for over ten years and is actively being exploited in the wild against exposed Telnet servers.

References

[1] “[bug-inetutils] inetutils-telnet always prompt entering username even if.” Accessed: Jan. 27, 2026. [Online]. Available: https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00010.html

[2] “Re: [bug-inetutils] inetutils-telnet always prompt entering username eve.” Accessed: Jan. 27, 2026. [Online]. Available: https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html

[3] “Quarter where Party members were supposed not to drink gin, though in practice such.” Accessed: Jan. 27, 2026. [Online]. Available: https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87