CVE-2026-24061

high-risk
Published 2026-01-21

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

Do I need to act?

!
88.0% chance of exploitation in next 30 days
EPSS score — higher than 12% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Debian Gnu

References (13)

Patch https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362e...
Patch https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b2...
Mitigation https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
Product https://www.gnu.org/software/inetutils/
Mailing List https://www.openwall.com/lists/oss-security/2026/01/20/2
Mailing List https://www.openwall.com/lists/oss-security/2026/01/20/8
Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-au...
Mitigation https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-a...
Mailing List http://www.openwall.com/lists/oss-security/2026/01/22/1
Mailing List https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-...
Exploit https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours...
Mailing List https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%2...
66
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low