CVE-2026-24061

9.8 CRITICAL CISA KEV - Actively Exploited
Published: January 21, 2026 Modified: February 11, 2026
View on NVD

Description

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
Source: cve@mitre.org
Patch
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
Source: cve@mitre.org
Patch
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
Source: cve@mitre.org
Mitigation Vendor Advisory
https://www.gnu.org/software/inetutils/
Source: cve@mitre.org
Product
https://www.openwall.com/lists/oss-security/2026/01/20/2
Source: cve@mitre.org
Mailing List
https://www.openwall.com/lists/oss-security/2026/01/20/8
Source: cve@mitre.org
Mailing List
https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package
Source: cve@mitre.org
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package
Source: cve@mitre.org
Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/22/1
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Third Party Advisory
https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER='
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mailing List Third Party Advisory

13 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
78.1%
99th percentile
Exploitation Status
Actively Exploited
Remediation due: 2026-02-16

Weaknesses (CWE)

CWE-88

Affected Vendors

gnu debian

Related CVEs

CVE-2026-4472 6.3
CVE-2026-4471 4.7
CVE-2026-4470 4.7
CVE-2026-4469 4.7
CVE-2026-33035 N/A