BLUF

 Unauthenticated remote attackers are actively exploiting an 11-year-old "sleeper" flaw in telnetd to gain immediate root access by injecting arguments into the USER environment variable.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by active exploitation of legacy telnetd services granting unauthenticated root access:

·       Low-end total cost: $1.2M – $2.5M

o   (Single-system compromise, rapid isolation, no persistence discovered)

·       Typical expected range: $3.0M – $6.5M

o   (Multiple legacy systems affected, rebuilds required, limited operational disruption)

·       Upper-bound realistic scenarios: $8.0M – $15.0M

o   (ICS or critical infrastructure impact, persistence detected, regulatory involvement)

Key Cost Drivers

·       Number of internet-reachable legacy Linux/UNIX systems requiring rebuild

·       Presence of telnet within OT, ICS, or embedded operational environments

·       Duration of undetected root-level access prior to containment

·       Requirement to prove system integrity to regulators or customers

·       Cyber insurance exclusions tied to legacy or unsupported services

Targeted Sectors

·       Industrial Control Systems (ICS)

·       Critical infrastructure

·       Networking equipment

·       Legacy data centers

Countries

Global; specific concentrations observed in regions with high densities of legacy Linux/UNIX appliances.

First Reported Activity

·       January 20, 2026

Last Reported Update

·       January 25, 2026

APT Names

·       No specific APT assigned yet\

Associated Criminal Organizations

Automated scanning botnets and initial access brokers.

TTPs

Initial Access

·       T1190 Exploit Public-Facing Application

o   Adversaries exploit this vulnerability by sending a crafted USER environment variable directly to a publicly reachable telnet service.

·       T1021.002 Remote Services SMB/Windows Admin Shares (Analogous to Telnet)

o   While specifically for SMB, the broader use of Remote Services (T1021) applies as attackers leverage the vulnerable Telnet service to gain an initial foothold.

Execution

·       T1203 Exploitation for Client Execution

o   The vulnerability allows for remote code execution by tricking the telnetd server into executing the system login binary with unauthorized flags.

Privilege Escalation

·       T1068 Exploitation for Privilege Escalation

o   Exploiting this flaw immediately elevates an unauthenticated session to a root shell, providing full system control.

Defense Evasion

·       T1548 Abuse Elevation Control Mechanism

o   Attackers bypass the standard authentication mechanism (the login prompt) by injecting the -f (force) flag into the environment variable negotiation.

Persistence

·       T1133 External Remote Services

o   Once initial access is gained through the vulnerable Telnet service, adversaries may use it to maintain persistent access to the network.

Tools Used

·       Telnet_rce.py (SafeBreach Labs exploit script)

IOCs

Network Indicators

The vulnerability is exploited during the Telnet protocol's option negotiation phase (specifically NEW_ENVIRON).

·       Malformed USER Environment Variable: Look for Telnet traffic containing the string USER followed immediately by the value -f root.

o   This is an "argument injection" where the attacker passes the -f (force/pre-authenticated) flag to the underlying /bin/login process.

·       High-Volume Telnet Connection Attempts: Monitoring for unusual spikes in connection attempts to TCP port 23 (default) or other configured telnet ports (e.g., 2323 often used in PoCs) from unfamiliar IP addresses.

Host and Log Indicators

·       Login Logs (/var/log/auth.log or journalctl): Successful exploitation may result in log entries showing a root login without an associated password prompt or verification step.

·       Process Monitoring: Monitor for the execution of /bin/login with the unexpected -f root argument, which bypasses credential checks.

·       Shell History: Check for root-level commands executed immediately after a Telnet session establishment, especially those typically used for reconnaissance like id, whoami, or uname -a.

Artifacts and Files

·       Exploit Scripts: Be aware of Proof-of-Concept (PoC) scripts circulating under names such as cve_2026_24061_telnetd.py.

·       Unauthorized Configuration Changes: Since exploitation grants root access, look for modified system files like /etc/shadow, /etc/passwd, or unauthorized additions to ~/.ssh/authorized_keys.

Malware Names

·       Observed deploying custom rootkits

·       "VoidLink" Linux framework.

Malware Family

·       Linux/VoidLink

sha256

21fb7f8941b929a5b18530f435c236c79b4974d41109cecb9e7098f5bbe04dd6

Decoding Key

·       Dynamic/XOR-based (custom per campaign)

Verdict

·       Malicious (Rootkit/C2)

Primary Objectives

·       Establish persistent C2

·       Exfiltrate system data

·       Disarm security software.

Behavior Analysis

·       Injects malicious modules into login

·       Manipulates environment variables to maintain hidden root access.

CVE-2026-24061

CVSS:3.1

(9.8) /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Score 9.8)

Nessus ID

·       296511

·       294968

KEV Catalog Data

·       Yes

CISA Patch by date

·       February 16, 2026

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Looks for Telnet Subnegotiation (ff fa) for Environment variables (24 00 01) followed by the malicious -f root payload.

alert tcp any any -> any 23 (msg:"ET EXPLOIT GNU InetUtils telnetd Auth Bypass Attempt (CVE-2026-24061)"; flow:established,to_server; content:"|ff fa 24 00 01|"; depth:5; content:"USER"; distance:0; content:"-f root"; distance:0; reference:cve,2026-24061; classtype:attempted-admin; sid:1000001; rev:1;)

SentinelOne

Monitor for any successful login execution where the -f flag is used to bypass authentication, especially if the user is root.

EndpointType = "Linux"

AND ParentProcessName = "telnetd"

AND ProcessName = "login"

AND CommandLine Contains "-f root"

Splunk

Look for the creation of new root-level sessions immediately following a Telnet connection spl

index=linux_logs sourcetype=auditd

| search (process="login" AND command_line="*-f root*") OR (parent_process="telnetd" AND command_line="* -f *")

| stats count min(_time) as first_seen max(_time) as last_seen by host, user, parent_process, command_line

| where parent_process="telnetd"

Delivery Methods

·       Remote network-level exploitation via the Telnet protocol (TCP port 23)

References

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2026-24061

Tenable

·       hxxps://www.tenable.com/cve/CVE-2026-24061/plugins

VirusTotal

·       hxxps://www.virustotal.com/gui/file/21fb7f8941b929a5b18530f435c236c79b4974d41109cecb9e7098f5bbe04dd6/details

Security Affairs

·       hxxps://securityaffairs.com/187255/security/11-year-old-critical-telnetd-flaw-found-in-gnu-inetutils-cve-2026-24061.html

Cyber Press

·       hxxps://cyberpress.org/critical-gnu-inetutils-vulnerability-allows-unauthenticated-root-access-via-f-root/

CISA KEV List

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061