A critical vulnerability in the telnetd component of GNU InetUtils, tracked as CVE-2026-24061, has been actively exploited in the wild, allowing attackers to bypass authentication and gain root access. This flaw, which has been present for over a decade, was publicly disclosed on January 21, 2026, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to its severity and active exploitation.
The vulnerability, which carries a CVSS score of 9.8, is classified under CWE-88 and involves an authentication bypass via the USER environment variable. Specifically, attackers can exploit this flaw by passing a "-f root" value, effectively bypassing the authentication process and gaining unauthorized root access to the affected systems. This makes it a critical threat to any systems running vulnerable versions of GNU InetUtils.
The exploitability of this vulnerability is underscored by its Exploit Prediction Scoring System (EPSS) score of 0.870, indicating a high likelihood of exploitation. Furthermore, the time to exploit (TTE) was remarkably short, with attackers leveraging the flaw within just 0.7 days of its disclosure. This rapid exploitation highlights the urgency for organizations to address this vulnerability immediately.
Proof-of-concept (PoC) exploits have proliferated quickly, with at least 62 PoCs available, further facilitating potential exploitation by threat actors. The availability of these PoCs, combined with the critical nature of the vulnerability, poses a significant risk to unpatched systems.
Organizations using GNU InetUtils are urged to apply patches or mitigations without delay. The vulnerability affects all versions of GNU InetUtils through 2.7, and administrators should ensure they are running a patched version to prevent unauthorized access. Synology, a notable user of GNU InetUtils, has already issued advisories urging users to update their systems and apply necessary patches to protect against potential exploitation.
Given the critical nature of CVE-2026-24061 and its active exploitation, security teams should prioritize patching and monitor their systems for any signs of compromise. Implementing network segmentation and monitoring for unusual activity related to telnetd processes can also help mitigate the risk of exploitation. Additionally, disabling unnecessary services such as telnetd can reduce the attack surface and prevent unauthorized access.
In summary, CVE-2026-24061 represents a significant threat due to its ease of exploitation and the potential for severe impact. Organizations must act swiftly to patch affected systems and implement additional security measures to protect against this critical vulnerability.
CSURFACE