⚠ Actively exploited

Added to CISA KEV on 2026-01-26. Federal agencies required to patch by 2026-02-16. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-24061

CWE-8817 documents14 sources

Severity

9.8CRITICAL

EPSS

88.0%

top 0.52%

CISA KEV

KEV

Added 2026-01-26

Due 2026-02-16

Exploit

PoC available

Public exploit / PoC exists

Affected products

GNU Inetutils Debian Debian Linux

Timeline

PublishedJan 21

KEV addedJan 26

KEV dueFeb 16

Latest updateFeb 18

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Debianinetutils< 2:2.0-1+deb11u3+3

▶CVEListV5gnu/inetutils1.9.3 — 2.7

▶NVDgnu/inetutils1.9.3 — 2.7

Also affects: Debian Linux 11.0

Patches

Patch: codeberg.org ↗Patch: codeberg.org ↗

🔴Vulnerability Details

GHSA

GHSA-pf97-p8ff-fj35: telnetd in GNU Inetutils through 2↗2026-01-21

▶

OSV

CVE-2026-24061: telnetd in GNU Inetutils through 2↗2026-01-21

▶

CVEList

CVE-2026-24061: telnetd in GNU Inetutils through 2↗2026-01-21

▶

VulnCheck

GNU InetUtils Argument Injection Vulnerability↗2026

▶

💥Exploits & PoCs

Metasploit

GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061↗

▶

Nuclei

GNU Inetutils telnetd - Authentication Bypass

▶

🔍Detection Rules

Suricata

ET WEB_SERVER GNU InetUtils Authentication Bypass via USER Environment Variable (CVE-2026-24061)↗2026-01-23

▶

Elastic

Telnet Authentication Bypass via User Environment Variable↗

▶

Elastic

Potential Telnet Authentication Bypass (CVE-2026-24061)↗

▶

📋Vendor Advisories

Ubuntu

Inetutils vulnerability↗2026-02-18

▶

Ubuntu

Inetutils vulnerability↗2026-02-02

▶

CISA

GNU InetUtils Argument Injection Vulnerability↗2026-01-26

▶

Debian

CVE-2026-24061: inetutils - telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "...↗2026

▶

🕵️Threat Intelligence

Bleepingcomputer

Nearly 800,000 Telnet servers exposed to remote attacks↗2026-01-26

▶

Bleepingcomputer

Hackers exploit critical telnetd auth bypass flaw to get root↗2026-01-23

▶

Wiz

CVE-2026-24061 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶