A new day, a new challenge for cyber defenders. Right after the disclosure of a nasty zero-day vulnerability in Cisco’s unified communication management products (CVE-2026-20045), security researchers spotted a novel bug that had gone unnoticed for 11 years. A critical authentication bypass issue (CVE-2026-24061) affects the GNU InetUtils telnet daemon (telnetd), enabling remote attackers to elevate their privileges to root on the affected system.
Notably, researchers from the threat intelligence company GreyNoise observe that more than 20 unique IPs attempted to proceed with auth bypass attacks by exploiting CVE-2026-24061 over the last day.
Register for the SOC Prime Platform to access the world’s largest real-time detection intelligence collection, backed by a comprehensive product suite supporting everything from detection to simulation. Click Explore Detections to access an extensive rule set for vulnerability exploit detection, pre-filtered using the custom CVE tag.
All the rules are compatible with 40+ SIEM, EDR, and Data Lake platforms and are mapped to the MITRE ATT&CK® framework v18.1. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.
Security professionals can also leverage Uncoder AI to streamline their detection engineering efforts. Generate behavior rules from raw threat reports, validate detection logic, visualize Attack Flow, convert IOCs into hunting queries, or instantly translate detection code across multiple languages – all in one place.
CVE-2026-24061 Analysis
A newly disclosed simple argument injection vulnerability in the GNU InetUtils telnetd enables threat actors to bypass authentication using “-f root” value in the USER environment variable. Consequently, an unauthenticated remote attacker might get access to instances running the affected teltetd services and escalate privileges to root. Successful exploitation may allow hackers to access sensitive data, modify system configurations, and execute arbitrary commands, potentially leading to full system compromise.
According to the security advisory, the issue occurs because the telnetd service invokes /usr/bin/login, which typically runs with root privileges, and passes the USER environment variable supplied by the client as an argument without proper sanitization. By supplying the value “-f root” and using the telnet -a or --login option, the attacker causes login to skip standard authentication checks, resulting in an automatic root login.
The vulnerability was introduced by a source code change committed in March 2015 and first appeared in GNU InetUtils version 1.9.3. Remaining undetected for more than 11 years, the flaw affects all GNU InetUtils releases from version 1.9.3 through version 2.7, inclusive.
Users still running telnetd should install the upgrade as soon as possible. To mitigate the risks, security experts advise restricting telnet port access to trusted clients only. As temporary measures, users can also disable the telnetd server entirely or configure it to use a custom login utility that blocks the -f parameter, preventing unauthorized root logins.
Also, to always stay ahead of emerging threats, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies for threat detection and hunting.
The post CVE-2026-24061: Decade-Old Vulnerability in GNU InetUtils telnetd Enables Remote Root Access appeared first on SOC Prime.
