Critical Telnet Server Flaw Exposes Forgotten Attack Surface

Critical Telnet Server Flaw Exposes Forgotten Attack Surface

A critical authentication bypass flaw, tracked as CVE-2026-24061, has been discovered in the GNU InetUtils telnetd server, potentially giving attackers complete control of affected devices. The vulnerability, present since 2015, was recently added to CISA’s Known Exploited Vulnerability (KEV) catalog, triggering renewed concern about the risk posed by legacy systems reliant on the obsolete telnet protocol.

While modern security protocols emphasize encryption and robust authentication, many legacy systems and IoT devices continue to rely on telnet for remote access, creating a significant attack surface. The continued prevalence of telnet despite its known vulnerabilities represents a cost of maintaining backward compatibility, leading to increased exposure for organizations.

Key Insights

• 800,000 telnet instances exposed globally: Shadowserver Foundation data indicates a large number of vulnerable systems remain accessible on the internet.
• Authentication bypass via environment variable injection: CVE-2026-24061 is triggered by the “-f root” argument passed to the USER environment variable.
• Forescout research: 4% of all connected devices still use telnet as of 2025.

Practical Applications

• Manufacturing/Healthcare/Government: Legacy control systems and medical devices still often utilize unencrypted telnet for maintenance.
• Pitfall: Relying on network segmentation as a primary mitigation for telnet exposes an organization to insider threats and failures in segmentation policies.

References:

• https://www.darkreading.com/ics-ot-security/critical-telnet-server-flaw-forgotten-attack-surface
• https://sec list .org/post/2026-01-20/gnu-inetutils-telnetd-vulnerability/