CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Authentication Bypass in GNU InetUtils telnetd

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A critical authentication bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, affecting versions 1.9.3 to 2.7, allows remote attackers to gain root access by exploiting the USER environment variable. The flaw, introduced in 2015, enables bypassing normal authentication if the client supplies a crafted USER value. Mitigations include patching and restricting network access to the telnet port. Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints globally, with over 380,000 in Asia, almost 170,000 in South America, and just over 100,000 in Europe. GreyNoise observed 18 unique IP addresses exploiting this flaw over the past 24 hours, with attacks targeting the 'root' user in 83.3% of cases. The attacks involved automated reconnaissance and attempts to persist SSH keys and deploy Python malware, which failed on the observed systems due to missing binaries or directories.

Timeline

  1. 22.01.2026 18:30 3 articles · 4d ago

    Critical Authentication Bypass in GNU InetUtils telnetd Disclosed

    A critical authentication bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, affecting versions 1.9.3 to 2.7, allows remote attackers to gain root access by exploiting the USER environment variable. The flaw, introduced in 2015, enables bypassing normal authentication if the client supplies a crafted USER value. Mitigations include patching and restricting network access to the telnet port. Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints globally, with over 380,000 in Asia, almost 170,000 in South America, and just over 100,000 in Europe. GreyNoise observed 18 unique IP addresses exploiting this flaw over the past 24 hours, with attacks targeting the 'root' user in 83.3% of cases. The attacks involved automated reconnaissance and attempts to persist SSH keys and deploy Python malware, which failed on the observed systems due to missing binaries or directories.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

CISA Adds Actively Exploited Digiever NVR Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, tracked as CVE-2023-52163, allows post-authentication remote code execution via command injection. The vulnerability remains unpatched as the device has reached end-of-life (EoL) status. Threat actors are exploiting this flaw to deliver botnets like Mirai and ShadowV2. CISA recommends mitigations or discontinuation of the product by January 12, 2025.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. In January 2026, the botnet was identified targeting the critical HPE OneView vulnerability CVE-2025-37164, with over 40,000 attack attempts recorded on 7 January. The vulnerability, which has a CVSS 3.1 score of 10 (critical), was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

Red Hat OpenShift AI Privilege Escalation Vulnerability

A severe security flaw in Red Hat OpenShift AI (CVE-2025-10725) allows authenticated attackers to escalate privileges and fully compromise hybrid cloud infrastructure. The vulnerability affects versions 2.19, 2.21, and RHOAI. Attackers with low-privileged access can gain full cluster administrator privileges, leading to data theft, service disruption, and infrastructure takeover. Red Hat classifies the flaw as 'Important' due to the need for authentication, but it carries a CVSS score of 9.9. Mitigations include avoiding broad permissions and adhering to the principle of least privilege.

Open in new tab

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Open in new tab