Tracked as CVE-2026-24061 with a CVSS score of 9.8, the flaw allows attackers to gain root-level access without valid credentials, posing a severe risk to exposed infrastructure worldwide.
The vulnerability stems from an argument injection flaw in telnetd versions 1.9.3 through 2.7.
The telnetd server fails to sanitize the USER environment variable before passing it to/usr/bin/login, allowing attackers to inject the string “-f root” and bypass authentication entirely.
When an attacker connects using telnet -a or –login with USER set to “-f root”, the login process interprets the “-f” flag as a force-login parameter, automatically granting root access without performing authentication checks.
The vulnerability was introduced in a March 2015 source code commit that remained undetected for nearly 11 years across major Linux distributions, including Debian, Ubuntu, Kali Linux, and Trisquel.
Proof-of-concept exploits have been publicly released and are actively being leveraged in the wild.
GreyNoise detected real-world exploitation within 18 hours of public disclosure, capturing 1,525 packets across 60 Telnet sessions from 18 unique attacker IPs between January 21-22, 2026.
The majority of attacks (83.3%) targeted root user access, with post-exploitation activities including SSH key persistence, system reconnaissance, and attempts to deploy malware.
Organizations should immediately upgrade to GNU InetUtils version 2.8 or later.
For systems unable to upgrade, critical mitigations include: turning off the telnetd service entirely, blocking TCP port 23 at network perimeter firewalls, and restricting Telnet access to trusted clients only.
The Shadowserver Foundation’s Accessible Telnet Report can help organizations identify exposed instances on their networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 800K+ Telnet Servers Exposed to RCE Attacks – PoC Released appeared first on Cyber Security News.
Linus Torvalds has warned that a “continued flood” of AI‑generated bug reports is making the Linux…
Four malicious npm packages capable of stealing SSH keys, cloud credentials, cryptocurrency wallets, and environment…
CISA has issued a fresh warning about a newly disclosed Microsoft Exchange Server vulnerability that…
A widely used WordPress plugin powering over one million websites has been hit by two…
INDIANAPOLIS (AP): Alex Palou surprised himself Sunday. The Spanish driver who has dominated race after…
Election officials in Tennessee are working quickly to update voter rolls before the Aug. 6,…
This website uses cookies.