Telnetd argument injection: what CVE-2026-24061 means for IAM

TL;DR: CVE-2026-24061 is a CVSS 9.8 flaw in GNU InetUtils telnetd that lets unauthenticated attackers reach an immediate root shell with a single command, with active exploitation already observed and public scans targeting exposed port 23, according to Orca Security. The issue shows that unauthenticated remote access services remain a direct identity risk, not just a network hygiene problem.

NHIMG editorial — based on content published by Orca Security: CVE-2026-24061 analysis of telnetd root-shell exploitation

By the numbers:

• A critical vulnerability ( CVE-2026-24061 , CVSS 9.8) was disclosed on January 20, 2026 affecting GNU InetUtils telnetd versions 1.9.3 through 2.7.
• GreyNoise reporting indicates that 83% of observed exploitation attempts targeted root access specifically.

Questions worth separating out

Q: What breaks when telnetd can pass user input into login as a command flag?

A: The authentication boundary breaks.

Q: Why are exposed legacy remote login services such a high-risk identity issue?

A: Because they collapse access, authentication, and privilege into one internet-reachable path.

Q: How do security teams know whether a telnet exploit is actually working in the environment?

A: Look for root login events through telnetd that do not match normal password prompts, plus command-line patterns where USER begins with a dash.

Practitioner guidance

• Inventory every telnetd instance immediately Find all GNU InetUtils telnetd deployments, confirm version range, and identify whether any instance is internet-facing or still reachable from flat internal networks.
• Disable or remove telnetd before patching cycles complete Stop the service, disable it at boot, and remove the package where possible.
• Block TCP port 23 at every perimeter and segment boundary Add controls at firewalls, security groups, and host-level rules so exposed telnet services cannot be reached from untrusted networks.

What's in the full article

Orca Security's full report covers the operational detail this post intentionally leaves for the source:

• Exact remediation guidance for affected GNU InetUtils versions across major Linux distributions
• Detection examples for telnetd log patterns, NEW_ENVIRON abuse, and root-shell process traces
• Exposure context from internet scanning and active exploitation telemetry
• Vendor guidance on using contextual prioritisation and attack-path analysis to rank affected assets

👉 Read Orca Security's analysis of CVE-2026-24061 and telnetd root access →

Telnetd argument injection: what CVE-2026-24061 means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →