27-Year-Old Telnet Vulnerability CVE-2026-24061 Grants Root Access
3 min. read 
Published on
A critical flaw in GNU Inetutils telnet daemon affects versions through 2.7. Tracked as CVE-2026-24061, it allows remote attackers to gain root access without authentication. Security researcher Ron Ben Yizhak from SafeBreach discovered improper environment variable sanitization.
Telnetd passes client-supplied variables directly to /bin/login running as root. Linux kernel sets AT_SECURE=0, disabling glibc secure-execution mode. This trusts all variables including dangerous ones like GCONV_PATH and LD_LIBRARY_PATH. Attackers inject payloads during handshake.
Ron Ben Yizhak states: “The telnetd daemon doesn’t sanitize the CREDENTIALS_DIRECTORY environment variable before passing it to /bin/login.”
Recent commit 4db2f19f cleared one variable. Blacklist filtering remains weak. Justin Swartz demonstrated GCONV_PATH bypass via gettext/iconv_open() chain. This loads arbitrary shared objects as root.
Attack Chain Explained
Client sends USER=”-f root” during telnet negotiation. No login prompt appears. /bin/login localization triggers gettext. GCONV_PATH points to malicious gconv-modules file. Payload executes silently.
Justin Swartz confirms: “AT_SECURE=0 means dynamic linker trusts client environment completely.”
PoC creates SUID /bin/sh copy with euid=0, egid=0. Full root shell achieved. No authentication performed.
Vendor Responses
| Organization | Statement/Details |
|---|---|
| Debian Security | “Ron Ben Yizhak discovered CREDENTIALS_DIRECTORY sanitization failure in telnetd.” |
| H-ISAC | “Active exploitations confirmed within 24 hours of disclosure.” |
| Rescana Labs | “~800,000 devices exposed globally via Shodan scans.” |
| Tenable Research | “Exploitation confirmed across embedded systems and network appliances.” |
Affected Systems Scope
Legacy network gear and embedded devices ship telnetd enabled. IoT appliances, industrial controllers, and old Unix servers face highest risk. Modern Linux distros deprecated telnet but packages remain installable.
Shodan shows 800,000+ exposed telnet ports running vulnerable inetutils. Network appliances often ignore upstream patches.
Historical Context and Fixes
Flaw traces to CVE-1999-0073 era. Same root-to-root spawn model persists 27 years. OpenSSH uses AcceptEnv whitelisting successfully.
Debian Security Team: “Upgrade to GNU Inetutils 2.8 or disable telnetd service immediately.”
Whitelist safe variables only. Validate all values. Network ACLs block port 23 externally.
Detection and Response
- Monitor telnet logs for USER=”-f root” patterns.
- Scan for SUID binaries in /tmp, /var/tmp.
- Check proc files for GCONV_PATH, OUTPUT_CHARSET.
- Audit root processes spawned from inetutils-telnetd.
- Deploy YARA rules for malicious .so files.
Immediate Mitigation Steps
- systemctl disable –now telnet.service
- iptables -A INPUT -p tcp –dport 23 -j DROP
- apt/yum remove inetutils-telnetd
- Replace with OpenSSH server
- Inventory exposed port 23 services
FAQ
AT_SECURE=0 trusts client environment variables passed to root /bin/login.
~800,000 via Shodan scans running vulnerable telnetd.
Ron Ben Yizhak (SafeBreach). PoC by Justin Swartz.
Partial fixes only. Blacklist bypassed. Whitelisting needed.
No reliable sanitization possible in root-to-root model. SSH proven secure alternative.
Yes, within 24 hours per H-ISAC threat bulletin.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages