The flaws allow threat actors to obtain root privileges or bypass authentication via Telnet and gain shell access as root.
January 27, 2026 By Ionut Arghire
The US cybersecurity agency CISA on Monday expanded the Known Exploited Vulnerabilities (KEV) catalog with five flaws, including two Linux bugs.
The first Linux issue is CVE-2026-24061 (CVSS score of 9.8), a critical-severity defect in GNU Inetutils that has been exploited within days of its public disclosure last week.
It is an authentication bypass in the GNU telnetd service, which does not sanitize the USER environment variable before passing it to the login function.
The USER environment variable is used to pre-fill the username used for authentication and, because an attacker can control it via the Telnet protocol, the attacker can supply an ‘-f’ flag to bypass authentication.
An attacker can exploit the bug by sending crafted Telnet commands to set the USER variable, bypass authentication, and obtain a root shell, gaining remote code execution (RCE) on vulnerable systems, SafeBreach explains.
CVE-2026-24061 was introduced in GNU Inetutils version 1.9.3, which was released in May 2015, and impacts all iterations up to and including version 2.7, which was rolled out in December 2025.
Within days of the flaw’s public disclosure on January 20, GreyNoise reported seeing 60 exploitation attempts from 18 unique attack sources. The attacks involved reconnaissance, SSH persistence, and malware deployment.
As SafeBreach points out, more than 200,000 systems have a Telnet service exposed to the internet (or over 1 million, per Censys), but only those using the GNU telnetd service are vulnerable.
The second Linux issue added to the KEV catalog this week is CVE-2018-14634 (CVSS score of 7.8), an integer overflow vulnerability in the kernel that could allow an attacker with access to a privileged binary to escalate their privileges to root.
Qualys, which discovered and reported the vulnerability, said in September 2018 that exploitation was possible on systems with at least 32GB of RAM, due to attack requirements.
There appear to be no reports of CVE-2018-14634’s in-the-wild exploitation prior to CISA’s warning.