January 26, 2026 By Sergiu Gatlan
Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server.
The security flaw (CVE-2026-24061) impacts GNU InetUtils versions 1.9.3 (released 11 years ago in 2015) through 2.7 and was patched in version 2.8 (released on January 20).
"The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," explained open-source contributor Simon Josefsson, who reported it.
"If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes."
Today, Shadowserver said that it's tracking nearly 800,000 IP addresses with Telnet fingerprints, over 380,000 from Asia, almost 170,000 from South America, and just over 100,000 from Europe. However, there is no information regarding how many of these devices have been secured against CVE-2026-24061 attacks.