Hackers Exploiting telnetd Vulnerability for Root Access – Public PoC Released

Active exploitation of a critical authentication bypass vulnerability in the GNU InetUtils telnetd server (CVE-2026-24061) has been observed in the wild, allowing unauthenticated attackers to gain root access to Linux systems.

The vulnerability, which affects GNU InetUtils versions 1.9.3 through 2.7, enables remote code execution by manipulating the USER environment variable passed during the Telnet negotiation phase.

Grey Noise has detected a coordinated exploitation campaign targeting Telnet services (TCP/23) using the telnetd -f authentication bypass flaw.

The attack leverages a command injection vulnerability where the Telnet daemon passes an unsanitized USER environment variable to the /usr/bin/login binary. By supplying the value -f root, attackers force the login program to treat the session as pre-authenticated, bypassing all credential checks and granting an immediate root shell.

Recent analysis of honeypot traffic has captured 60 unique exploitation attempts from 18 distinct source IP addresses. These attacks range from opportunistic scanning to targeted persistence mechanisms, including SSH key injection and malware deployment.

telnetd Vulnerability CVE-2026-24061

The vulnerability resides in the way telnetd invokes the login program. Typically, telnetd executes /usr/bin/login (running as root) and passes the client-supplied USER variable as the final argument.

The exploitation flow proceeds as follows:

1. Negotiation: The attacker initiates a Telnet connection and sends a malicious ENVIRON variable.
2. Injection: The USER variable is set to -f root.
3. Execution: telnetd executes login -p -h <host> -f root.
4. Bypass: The -f flag instructs login to skip authentication for the specified user (root), granting a shell.

Analysis of captured attack traffic reveals distinct patterns in attacker behavior. The most prolific source, 178.16.53[.]82, accounted for 12 sessions targeting 10 unique systems, utilizing a consistent payload configuration (9600 baud, XTERM-256COLOR).

Attackers are employing diverse payload configurations to evade simple signature detection:

• Terminal Speed: 38400 baud and 9600 baud are common, though some attacks negotiate 0,0 (no speed).
• Terminal Type: Payloads vary between standard XTERM-256COLOR, compatibility mode xterm-256color, and generic UNKNOWN types.
• Target Users: While root is the primary target (83% of attempts), probes for nobody, daemon, and randomized users like nonexistent123 have been observed.

Upon gaining access, attackers immediately execute reconnaissance commands (uname -a, id, cat /etc/passwd) often wrapped in delimiters (e.g., S…EU…blah) for automated parsing by C2 infrastructure.

More advanced actors attempt to establish persistence. One campaign from 216.106.186[.]24 attempted to append a 3072-bit RSA key to ~/.ssh/authorized_keys. This same actor also attempted to fetch a second-stage Python payload (apps[.]py) from a distribution server, indicating a potential botnet recruitment drive.

CVE ID	Severity	CVSS Score	Affected Versions
CVE-2026-24061	Critical	9.8 (Critical)	GNU InetUtils 1.9.3 – 2.7

Indicators of Compromise (IOCs)

Indicator Type	Value	Context
Attacker IP	178.16.53[.]82	Top source (12 sessions), Reconnaissance
Attacker IP	216.106.186[.]24	SSH Key Injection, Malware Download
Attacker IP	67.220.95[.]16	Malware Distribution, Exploitation
Attacker IP	156.238.237[.]103	Confirmed Root Access (IDS Alert)
Malware URL	http://67.220.95[.]16:8000/apps.py	Python Payload Delivery
File Name	apps[.]py	Second-stage payload
SSH Key Comment	root@s51865.vps[.]hosting	Associated with persistence attempts

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting telnetd Vulnerability for Root Access – Public PoC Released appeared first on Cyber Security News.