11-Year-Old Telnetd Bug Gets PoC
A new proof-of-concept exploit has been released for CVE-2026-24061, an 11-year-old authentication bypass vulnerability in GNU telnetd. The exploit allows an attacker to gain root access, demonstrating the long tail of risk from legacy software.
The vulnerability, CVE-2026-24061, stems from the GNU telnetd server failing to properly sanitize the USER environment variable. An attacker can pass the value "-f root" through the USER variable, which is then passed to the `/usr/bin/login` command. The `-f` flag instructs the login program to bypass normal authentication, granting the attacker immediate root access. This flaw was inadvertently introduced in a source code change on March 19, 2015, and was first included in the GNU InetUtils version 1.9.3 release on May 12, 2015. The vulnerability remained undiscovered for over a decade, affecting all subsequent versions up to and including 2.7. Security researcher Kyu Neushwaistein is credited with discovering and reporting the bug on January 19, 2026. Telnet itself is a legacy client-server protocol dating back to 1969. It transmits all data, including usernames and passwords, in plaintext, making it susceptible to eavesdropping. Due to its lack of built-in security, its use has been largely superseded by Secure Shell (SSH). Despite being considered obsolete, Telnet persists in many environments, particularly on legacy Unix and Linux servers, embedded systems, and network appliances. The Shadowserver Foundation estimates that approximately 800,000 Telnet instances remain exposed to the internet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24061 to its Known Exploited Vulnerabilities (KEV) catalog. The exploit for CVE-2026-24061 is considered "zero-effort" and grants immediate root access, making it highly attractive to attackers. Security researchers observed active exploitation of the vulnerability shortly after its public disclosure. One honeypot set up to monitor for attacks was compromised in less than an hour. This vulnerability highlights the significant risks associated with unmanaged technical debt and legacy software. Outdated systems often lack vendor support and security patches, making them prime targets for attackers. The persistence of old protocols like Telnet, often on overlooked or forgotten devices, creates a substantial attack surface.
