- 13/2026
- Critical
GNU InetUtils has released a security update to fix a critical vulnerability affecting the telnetd service in GNU InetUtils versions from 1.9.3 through 2.7.
The addressed vulnerability could allow the attacker to bypass authentication controls due to improper handling of the user-supplied USER environment variable. The telnetd service passes this variable directly to /usr/bin/login without adequate sanitization. By setting USER=-f root and initiating a connection using the telnet -a option, the attacker can circumvent the authentication process and gain unauthorized root-level access to the affected system.
GNU Inetutils Security Bypass Vulnerability in telnetd (CVE-2026-24061):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
It should be highlighted that security researchers disclosed a proof-of-concept (PoC) exploit that exists in the wild for vulnerability “CVE-2026-24061”.
Vulnerabilities
CVE-2026-24061
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.