Internet security watchdog Shadowserver is tracking nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. The security flaw, identified as CVE-2026-24061, affects GNU InetUtils versions from 1.9.3 released in 2015 through 2.7 and was patched in version 2.8 on January 20. The vulnerability occurs because telnetd passes the user-controlled USER environment variable directly to the login process without sanitization, allowing attackers who set USER to “-f root” and connect with the telnet command to skip authentication entirely and obtain root access. Of the exposed servers, over 380,000 originate from Asia, almost 170,000 from South America, and just over 100,000 from Europe, with Shadowserver Foundation CEO Piotr Kijewski emphasizing these telnet instances should not be publicly exposed but remain accessible especially on legacy IoT devices.
Cybersecurity company GreyNoise reported detecting real-world exploitation activity just one day after CVE-2026-24061 was patched, with attacks originating from 18 unique attacker IP addresses across 60 Telnet sessions between January 21 and 22. The malicious activity abused the Telnet IAC option negotiation to inject the crafted USER environment value, targeting the root user in 83.3% of cases and exhibiting both automated patterns and human-at-keyboard behavior. After gaining access, attackers attempted to deploy Python malware following automated reconnaissance, though these attempts failed due to missing directories and binaries on the compromised systems.
The widespread presence of vulnerable telnetd servers stems from GNU InetUtils being a collection of network utilities used across multiple Linux distributions that can run without updates for more than a decade on legacy and embedded devices. Administrators who cannot immediately upgrade their devices to the patched release are strongly advised to disable the vulnerable telnetd service or block TCP port 23 on all firewalls. However, there is currently no information regarding how many of the nearly 800,000 tracked devices have been secured against CVE-2026-24061 attacks, leaving a substantial attack surface available to threat actors who can leverage publicly available proof-of-concept exploits.