Tracked as CVE-2026-24061 with a CVSS score of 9.8, the flaw allows attackers to gain root-level access without valid credentials, posing a severe risk to exposed infrastructure worldwide.
The vulnerability stems from an argument injection flaw in telnetd versions 1.9.3 through 2.7.
The telnetd server fails to sanitize the USER environment variable before passing it to/usr/bin/login, allowing attackers to inject the string “-f root” and bypass authentication entirely.
When an attacker connects using telnet -a or –login with USER set to “-f root”, the login process interprets the “-f” flag as a force-login parameter, automatically granting root access without performing authentication checks.
The vulnerability was introduced in a March 2015 source code commit that remained undetected for nearly 11 years across major Linux distributions, including Debian, Ubuntu, Kali Linux, and Trisquel.
Proof-of-concept exploits have been publicly released and are actively being leveraged in the wild.
GreyNoise detected real-world exploitation within 18 hours of public disclosure, capturing 1,525 packets across 60 Telnet sessions from 18 unique attacker IPs between January 21-22, 2026.
The majority of attacks (83.3%) targeted root user access, with post-exploitation activities including SSH key persistence, system reconnaissance, and attempts to deploy malware.
Organizations should immediately upgrade to GNU InetUtils version 2.8 or later.
For systems unable to upgrade, critical mitigations include: turning off the telnetd service entirely, blocking TCP port 23 at network perimeter firewalls, and restricting Telnet access to trusted clients only.
The Shadowserver Foundation’s Accessible Telnet Report can help organizations identify exposed instances on their networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 800K+ Telnet Servers Exposed to RCE Attacks – PoC Released appeared first on Cyber Security News.
A persistent bug in Windows 11 in-place upgrades is reportedly wiping critical 802.1X wired authentication…
Google’s Threat Intelligence Group (GTIG) has uncovered Coruna, a sophisticated iOS exploit kit containing 23…
Former state and national GOP Chair Michael Whatley (left) and former Gov. Roy Cooper are…
U.S. Sen. Thom Tillis, Republican of North Carolina, speaks as Homeland Security Secretary Kristi Noem…
Diana Fenton has withdrawn her name from consideration to be New Hampshire’s next child advocate…
A family in Byron is sharing the story of their 1-year-old son, J.J. Larson and…
This website uses cookies.