Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
CISA Known Exploited Vulnerability
Date added 2026-01-26 | Due date 2026-02-16
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Problem types
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Product status
1.9.3 (custom)
References
www.openwall.com/lists/oss-security/2026/01/20/2
www.labs.greynoise.io/...-unsolicited-houseguests/index.html
www.cisa.gov/...erabilities-catalog?field_cve=CVE-2026-24061
www.openwall.com/lists/oss-security/2026/01/22/1
lists.debian.org/debian-lts-announce/2026/01/msg00025.html
www.openwall.com/lists/oss-security/2026/01/20/2
www.openwall.com/lists/oss-security/2026/01/20/8
www.gnu.org/software/inetutils/
lists.gnu.org/...ve/html/bug-inetutils/2026-01/msg00004.html
codeberg.org/...mit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
codeberg.org/...mit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
www.vicarius.io/...ntication-bypass-in-gnu-inetutils-package
www.vicarius.io/...ntication-bypass-in-gnu-inetutils-package