Scope of the Exposure
Shadowserver’s monitoring shows approximately 800,000 IP addresses with telnet fingerprints worldwide. Geographic distribution is:
- Asia: ~380,000
- South America: ~170,000
- Europe: just over 100,000
No public data indicates how many of these hosts have been patched against CVE-2026-24061.
Technical Details of the Vulnerability
The flaw resides in GNU InetUtils telnetd versions 1.9.3 through 2.7. The server invokes /usr/bin/login (running as root) and passes the client‑supplied USER environment variable as the final argument. An attacker who sends a crafted USER value of -f root via telnet -a or telnet --login can bypass authentication and obtain a root shell. The vulnerability was patched in version 2.8, released on January 20.
Observed Exploits
GreyNoise detected active exploitation shortly after disclosure. Key observations:
- Exploits targeted the root account in 83.3% of cases.
- Most attacks appeared automated, though some “human‑at‑keyboard” activity was noted.
- After gaining access, attackers attempted to deploy Python malware, but the effort failed due to missing directories and binaries.
Mitigation Recommendations
For environments where immediate upgrading is not feasible, apply one or more of the following controls:
- Upgrade GNU InetUtils to version 2.8 or later.
- Disable the vulnerable
telnetdservice on affected devices. - Block TCP port 23 on perimeter firewalls and host‑based firewalls.
- Conduct an inventory of all telnet‑exposed assets and prioritize remediation for IoT and legacy systems.