A critical remote code execution vulnerability, CVE-2026-24061, in the telnetd daemon of GNU Inetutils is actively exploited, prompting immediate remediation across operational technology (OT) environments. Dream Security and multiple threat intelligence firms report that the flaw permits unauthenticated remote root access, highlighting the urgency of patching, network segmentation, and coordinated risk management across stakeholders.
Background
The vulnerability, introduced in a March 19, 2015 code change and present since GNU Inetutils version 1.9.3 (released May 12, 2015), was discovered in January 2026. Telnetd failed to sanitize the USER environment variable, enabling the injection of the "-f root" option during session negotiation and bypassing authentication1Critical GNU InetUtils telnetd flaw allows remote root login – iSec News. The issue affects versions 1.9.3 through 2.7; a patch is available in version 2.82Cyber Intel Brief: telnetd Critical Authentication Bypass Vulnerability.
While Telnet is considered legacy, it remains widely used in industrial control systems (ICS), OT, embedded systems, routers, and older network appliances2Cyber Intel Brief: telnetd Critical Authentication Bypass Vulnerability. According to Shadowserver's scan data, approximately 800,000 telnetd services are exposed globally, presenting a significant and constant attack surface3Experts flag around 800,000 Telnet servers exposed to remote attacks - here's why users should be on their guard.
Details
CVE-2026-24061 is rated critical, with a CVSS score of 9.8. Exploitation requires neither authentication nor user interaction, operates remotely, and grants elevated root privileges2Cyber Intel Brief: telnetd Critical Authentication Bypass Vulnerability. Within hours of disclosure, security monitoring identified broad scanning and exploitation attempts from global IP ranges4CVE-2026-24061 – Critical GNU InetUtils Telnetd Remote Authentication Bypass. Publicly available proof-of-concept (PoC) code further lowers the threshold for abuse5Instant Root Access via CVE-2026-24061: A Decade-Old Bug Comes Alive | Hive Pro.
Mitigation strategies focus on partitioning OT networks, implementing granular access controls, and improving coordination among IT, OT, vendors, and systems integrators. Experts recommend aligning patch deployment with production schedules and updating incident response plans to address evolving threat scenarios in industrial settings.
Outlook
Operators are urged to identify all telnetd instances and implement network segmentation for OT environments. Upgrading to GNU Inetutils 2.8 or newer is advised. If patching is not immediately feasible, custom login utilities that reject the "-f" flag and restricting telnet access with firewalls or access control lists (ACLs) can provide temporary risk reduction. Cross-functional coordination among IT, OT, vendors, and service providers is critical to maintain security, particularly within critical infrastructure and manufacturing sectors.
