GNU InetUtils telnetd remote authentication bypass (CVE-2026-24061)
Vulnerability
Summary
Hide ▲
Show ▼
A critical remote authentication bypass in GNU InetUtils telnetd lets attackers skip login and reach root access on affected releases. The flaw is tracked as CVE-2026-24061 and affects GNU InetUtils 1.9.3 through 2.7. Attackers can send a crafted `USER` value of `-f root` with telnet `-a` or `--login` to abuse how `login(1)` processes the request. GreyNoise has already seen 21 IPs probing the issue in the last 24 hours, signaling active abuse pressure.
Cases
Related Happenings
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
GNU InetUtils telnetd pre-auth buffer overflow (CVE-2026-32746)
Vulnerability
First: 18.03.2026 07:06
Last: 18.03.2026 07:06
Sources 1
About this happening:
A **critical CVE-2026-32746** flaw in **GNU InetUtils telnetd** lets an **unauthenticated attacker** trigger **remote code execution as root** over **port 23**, exposing internet-...
GNU InetUtils telnetd pre-auth buffer overflow (CVE-2026-32746)
VulnerabilityAbout this happening: A **critical CVE-2026-32746** flaw in **GNU InetUtils telnetd** lets an **unauthenticated attacker** trigger **remote code execution as root** over **port 23**, exposing internet-...
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
Vulnerability
First: 13.03.2026 10:18
Last: 13.03.2026 10:18
Sources 1
About this happening:
Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
VulnerabilityAbout this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation Wave
First: 27.02.2026 19:59
Last: 27.02.2026 19:59
Sources 1
About this happening:
More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation WaveAbout this happening: More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Timeline
-
22.01.2026 18:30 4 articles · 4mo ago
CVE-2026-24061 introduced into GNU InetUtils telnetd
Technical Analysis UpdateA source code commit on March 19, 2015 introduced a GNU InetUtils telnetd authentication bypass later tracked as CVE-2026-24061, creating the condition where a crafted `USER` environment value of `-f root` can reach `login(1)` without normal authentication.
Show sources
- Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access — thehackernews.com — 22.01.2026 18:30
- Hackers exploit critical telnetd auth bypass flaw to get root — www.bleepingcomputer.com — 23.01.2026 18:21
- Organizations Warned of Exploited Linux Vulnerabilities — www.securityweek.com — 27.01.2026 12:37
- One threat actor responsible for 83% of recent Ivanti RCE attacks — www.bleepingcomputer.com — 14.02.2026 18:02
-
22.01.2026 18:30 2 articles · 4mo ago
GNU InetUtils telnetd disclosure and active probing
Initial DisclosurePublic disclosure on January 22, 2026 described the GNU InetUtils telnetd remote authentication bypass affecting versions 1.9.3 through 2.7 and noted 21 unique IP addresses from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand attempting exploitation over the prior 24 hours; recommended mitigations included patching, restricting telnet access, disabling telnetd, or using a custom `login(1)` tool that rejects `-f`.
Show sources
- Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access — thehackernews.com — 22.01.2026 18:30
- Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access — thehackernews.com — 22.01.2026 18:30
-
19.01.2026 02:00 1 articles · 4mo ago
Security researcher reports GNU InetUtils telnetd flaw
Technical Analysis UpdateSecurity researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) discovered and reported the GNU InetUtils telnetd flaw on January 19, 2026 after identifying that `telnetd` passes the `USER` environment variable to `login(1)` without sanitizing it.
Show sources
- Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access — thehackernews.com — 22.01.2026 18:30