CVE-2026-24061
Aliases:GCVE-1-2026-0007
Advisory lineage Upstream: 0 Downstream: 5
Analyzed
Published: 21 Jan 2026, 06:42
Last modified:25 Mar 2026, 13:31
Vulnerability Summary
Overall Risk (default)
critical
90/100 CVSS Score
10 CRITICAL
v4.0 (gcve)
EPSS Score
91.81% CRITICAL
92% probability +3.79%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
4 found
Dark Web
Not detected
Timeline
21 Jan 2026, 06:42
Published
Vulnerability first disclosed
26 Jan 2026, 00:00
Added to CISA KEV
GNU InetUtils Argument Injection Vulnerability
16 Feb 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
25 Mar 2026, 13:31
Last Modified
Vulnerability information updated
Description
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
CVSS Metrics
- v4.0•CRITICAL•Score: 10CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 91.81%• Percentile: 100%
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-88•Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Affected Systems
- debian•debian_linux
11.0
- Unknown•InetUtils
≥ 1.9.3, ≤ 2.7
References (15)
- https://www.openwall.com/lists/oss-security/2026/01/20/2
- https://www.openwall.com/lists/oss-security/2026/01/20/8
- https://www.gnu.org/software/inetutils/
- https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
- https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
- https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
- https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER='
- https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061
- http://www.openwall.com/lists/oss-security/2026/01/22/1
- https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html
- https://seclists.org/oss-sec/2026/q1/89
- https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87
- https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package
- https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package