Authentication Bypass in GNU Inetutils telnetd <=2.7 via USER var
CVE-2026-24061 Published on January 21, 2026

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

NVD

Known Exploited Vulnerability

This GNU InetUtils Argument Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.

The following remediation steps are recommended / required by February 16, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2026-24061 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2026-24061 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2026-24061

Want to know whenever a new CVE is published for GNU Inetutils? stack.watch will email you.

GNU Inetutils
 

Affected Versions

GNU Inetutils:

Exploit Probability

EPSS
77.92%
Percentile
98.98%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.