Hackers Exploiting telnetd Vulnerability for Root Access \u2013 Public PoC Released
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Active exploitation of a critical authentication bypass vulnerability in the GNU InetUtils telnetd<\/em> server (CVE-2026-24061<\/a>) has been observed in the wild, allowing unauthenticated attackers to gain root access to Linux systems.<\/p>\n The vulnerability, which affects GNU InetUtils versions 1.9.3 through 2.7, enables remote code execution by manipulating the USER<\/em> environment variable passed during the Telnet negotiation phase.<\/p>\n Grey Noise has detected a coordinated exploitation campaign targeting Telnet services (TCP\/23) using the telnetd -f<\/em> authentication<\/a> bypass flaw.<\/p>\n The attack leverages a command injection vulnerability where the Telnet daemon passes an unsanitized USER<\/em> environment variable to the Recent analysis of <\/a>honeypot traffic has captured 60 unique exploitation attempts from 18 distinct source IP addresses. These attacks range from opportunistic scanning to targeted persistence mechanisms, including SSH key injection and malware deployment.<\/p>\n The vulnerability resides in the way telnetd<\/em> invokes the login<\/em> program. Typically, telnetd<\/em> executes \/usr\/bin\/login<\/em> (running as root) and passes the client-supplied USER<\/em> variable as the final argument.<\/p>\n The exploitation flow proceeds as follows:<\/p>\n Analysis of captured attack traffic reveals distinct patterns in attacker behavior. The most prolific source, 178.16.53[.]82<\/em>, accounted for 12 sessions targeting 10 unique systems, utilizing a consistent payload configuration (9600 baud, XTERM-256COLOR).<\/p>\n Attackers are employing diverse payload configurations to evade simple signature detection:<\/p>\n Upon gaining access, attackers immediately execute reconnaissance commands (uname -a<\/em>, id<\/em>, cat \/etc\/passwd<\/em>) often wrapped in delimiters (e.g., S\u2026EU\u2026blah<\/em>) for automated parsing by C2 infrastructure<\/a>.<\/p>\n More advanced actors attempt to establish persistence. One campaign from 216.106.186[.]24<\/em> attempted to append a 3072-bit RSA key to ~\/.ssh\/authorized_keys<\/em>. This same actor also attempted to fetch a second-stage Python payload (apps[.]py<\/em>) from a distribution server, indicating a potential botnet recruitment drive.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploiting telnetd Vulnerability for Root Access \u2013 Public PoC Released<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\/usr\/bin\/login<\/code> binary. By supplying the value -f root<\/em>, attackers force the login program to treat the session as pre-authenticated, bypassing all credential checks and granting an immediate root shell.<\/p>\ntelnetd Vulnerability CVE-2026-24061<\/strong><\/h2>\n
\n
\n
\n\n
\n \nCVE ID<\/th>\n Severity<\/th>\n CVSS Score<\/th>\n Affected Versions<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2026-24061<\/strong><\/td>\n Critical<\/td>\n 9.8 (Critical)<\/td>\n GNU InetUtils 1.9.3 \u2013 2.7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Indicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nIndicator Type<\/th>\n Value<\/th>\n Context<\/th>\n<\/tr>\n<\/thead>\n \n Attacker IP<\/strong><\/td>\n 178.16.53[.]82<\/td>\n Top source (12 sessions), Reconnaissance<\/td>\n<\/tr>\n \n Attacker IP<\/strong><\/td>\n 216.106.186[.]24<\/td>\n SSH Key Injection, Malware Download<\/td>\n<\/tr>\n \n Attacker IP<\/strong><\/td>\n 67.220.95[.]16<\/td>\n Malware Distribution, Exploitation<\/td>\n<\/tr>\n \n Attacker IP<\/strong><\/td>\n 156.238.237[.]103<\/td>\n Confirmed Root Access (IDS Alert)<\/td>\n<\/tr>\n \n Malware URL<\/strong><\/td>\n http:\/\/67.220.95[.]16:8000\/apps.py<\/td>\n Python Payload Delivery<\/td>\n<\/tr>\n \n File Name<\/strong><\/td>\n apps[.]py<\/td>\n Second-stage payload<\/td>\n<\/tr>\n \n SSH Key Comment<\/strong><\/td>\n root@s51865.vps[.]hosting<\/td>\n Associated with persistence attempts<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n