CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-24061

CVSS 9.8v3.1pub. 2026-01-21upd. 2026-02-11

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

🤖 AI Analysis
How it works

The attacker sends the value "-f root" to the telnetd server as the content of the USER environment variable when establishing a Telnet session. This value is interpreted as a command-line argument (CWE-88: argument injection), causing the authentication mechanism to be bypassed and the session to be opened with root user privileges. The attack requires no authentication, user interaction, or special privileges — only network access to the telnetd service is sufficient.

Impact

An unauthorized remote attacker gains full system access with administrator (root) privileges, enabling server takeover, data read and modification, and further actions within the victim's network.

Mitigation & patch

Immediately apply patches indicated in the project repository commits (ccba9f748aa8d50a38d7748e2e60362edd6a32cc and fd702c02497b2f398e739e3119bed0b23dd7aa7b). Until updating, it is recommended to disable the telnetd service and replace it with a more secure alternative (e.g., SSH). Monitor Debian Linux distribution package updates and apply them immediately upon release.

Who is affected

GNU Inetutils versions up to 2.7 inclusive (telnetd); Debian Linux-based systems using the inetutils package

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    11.0
  • Gnu Inetutils

    APP
    Gnu
    1.9.3 – 2.7

CISA KEV — detailsi

Vendori
GNU
Producti
InetUtils
Added to KEVi
January 26, 2026
Remediation deadline (US Federal)i
February 16, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 16 lutego 2026
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych