CVE-2026-24061: GNU InetUtils telnetd Authentication Bypass

Deployment Period: 2026/02/01 to 2026/02/28

Honeypot: T-Pot Community Edition, Google Cloud Platform

Data Source: Elasticsearch DSL queries, Kibana Dev Tools

TLP: TLP:CLEAR

About This Report

This report is part of a hands-on project focused on building practical skills in threat data analysis and CVE research. It is one report in an ongoing series covering the February 2026 T-Pot deployment.

Summary

CVE-2026-24061 is the most recently disclosed CVE observed in this dataset. It was published on 2026/01/21, less than two weeks before this deployment began. The honeypot recorded 9 events across 4 days. The numbers are small, but the timing stood out to me. Scanners were already looking for this vulnerability before the month even started.

CVE-2026-24061: GNU InetUtils telnetd Authentication Bypass

Telnet is an old remote access protocol, largely replaced by SSH. telnetd is the server-side component that handles incoming Telnet connections. This vulnerability exists in the GNU InetUtils version of telnetd.

The flaw comes down to a missing input check. When a client connects, it can send a username as part of the connection. telnetd passes that username directly to the system’s login program without checking it first. An attacker can send -f root as the username, which tells the login program to skip the password check and log in as root. No password needed. The bug was introduced in a 2015 code change and went unnoticed for over 10 years.

Affected products: GNU InetUtils telnetd versions 1.9.3 through 2.7. Fixed in 2.7-2, patches released 2026/01/20.

Observed activity: 9 total events across 4 active days. The first hit came on 2026/02/01, 11 days after disclosure. Six of the nine events happened on that first day. The remaining 3 were spread across 2026/02/04, 2026/02/06, and 2026/02/20.

Assessment: What I found interesting here is the speed at which this flaw was found and exploited. GreyNoise documented exploitation attempts starting within 18 hours of the original disclosure. CISA added it to the KEV catalog on 2026/01/26, six days after the patch dropped. By the time my honeypot went live, scanners had already been active for nearly two weeks. The low event count makes sense too. Telnet is uncommon on modern internet-facing systems, so there are fewer targets to scan for compared to something like a web application vulnerability.

Defender note: Patch to GNU InetUtils 2.7-2 or later, or disable telnetd entirely if you are not using it. This one is worth checking on older or embedded Linux systems where Telnet may still be running and easy to overlook. CISA’s remediation deadline for federal agencies was 2026/02/16.

Data Reference

Table 1: CVE-2026-24061 Daily Event Counts

Methodology Notes

Event counts reflect IDS alerts, not confirmed exploitation. Suricata flagged traffic that matched a known attack pattern for this CVE. The honeypot is not a real telnetd host, so none of these attempts could have succeeded. The counts show inbound probe volume only.

Days with 0 events are omitted from the main table rows but retained in the collapsed row above for completeness.

All data sourced from Elasticsearch DSL queries against T-Pot honeypot logs, 2026/02/01 through 2026/02/28. Raw query output is preserved in honeypot-threat-research/data.

References