Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
Published: 2026-01-21
Score: 9.8 Critical
EPSS: 87.0% High
KEV: Yes
Impact: Remote Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

telnetd in GNU Inetutils versions up to 2.7 allows an attacker to bypass authentication by setting the USER environment variable to a value that includes the string -f root. This flaw lets a remote client gain privileged access without supplying valid credentials, effectively giving them root privileges on the host. The weakness is a classic example of an authentication bypass flaw categorized as CWE-88, where the system fails to enforce proper authentication checks, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects the GNU Inetutils package, specifically telnetd in versions 2.7 and earlier. By default, Debian 11 (Debian Linux 11), which includes Inetutils 2.7, is also impacted. Any installation running an unpatched telnetd daemon exposed to a network is at risk.

Risk and Exploitability

The issue scores a CVSS base of 9.8, indicating a critical level of risk, and has an EPSS score of 87 %, reflecting a very high probability that attackers will target this flaw. It is listed in the CISA Known Exploited Vulnerabilities catalog, confirming that it is actively exploited in the wild. The likely attack vector is a remote telnet session; a malicious actor can configure the USER environment variable prior to or during the connection, provoking telnetd to treat the client as the root user and granting unrestricted system access.

Generated by OpenCVE AI on April 22, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GNU Inetutils to the patched version that resolves this authentication bypass (e.g., 2.8 or newer).
  • If an immediate update is not possible, configure the telnetd startup scripts or environment to clear or ignore the USER variable, preventing an attacker from influencing it.
  • Consider disabling the telnet service entirely or replacing it with a more secure remote access mechanism, such as SSH, and restrict connections to trusted hosts.

Generated by OpenCVE AI on April 22, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4453-1 inetutils security update
Debian DLA Debian DLA DLA-4527-1 inetutils security update
Debian DSA Debian DSA DSA-6106-1 inetutils security update
Ubuntu USN Ubuntu USN USN-7992-1 Inetutils vulnerability
Ubuntu USN Ubuntu USN USN-7992-2 Inetutils vulnerability
History

Wed, 22 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Title Remote Authentication Bypass in GNU Inetutils Telnetd Using USER Environment Variable

Thu, 16 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Remote Authentication Bypass in GNU Inetutils Telnetd Using USER Environment Variable

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 29 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
CPEs cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-01-26T00:00:00+00:00', 'dueDate': '2026-02-16T00:00:00+00:00'}

Sun, 25 Jan 2026 01:30:00 +0000

Type Values Removed Values Added
References

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu inetutils
CPEs cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu inetutils

Wed, 21 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Debian Debian Linux
Gnu Inetutils
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-25T13:31:53.588Z

Reserved: 2026-01-21T06:42:16.865Z

Link: CVE-2026-24061

cve-icon Vulnrichment

Updated: 2026-01-25T00:15:44.959Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T07:16:01.597

Modified: 2026-02-11T15:40:42.937

Link: CVE-2026-24061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses