A Critical Telnet authentication bypass vulnerability (CVE-2026-24061) has been discovered 800,000 Devices Are EXPOSED 

A critical Telnet authentication bypass, CVE-2026-24061, is putting a large slice of the internet at risk because it can allow unauthenticated remote access—potentially straight to root—when vulnerable Telnet daemons are exposed. Reports estimate roughly 800,000 internet-reachable Telnet servers/devices are exposed, and scanning/exploitation activity has been observed shortly after disclosure.

CVE-2026-24061: Telnet auth bypass puts exposed systems at risk

CVE-2026-24061 is an authentication bypass vulnerability in GNU InetUtils telnetd affecting versions 1.9.3 through 2.7. It’s rated Critical (CVSS 9.8) because it’s reachable over the network (TCP/23), requires no authentication, and can yield full compromise

Using Kali Linux 2025.4 and Wireshark, we break down the packet traffic to show exactly how the telnet -f root command bypasses the login prompt entirely. Despite Telnet being an insecure protocol, legacy IoT devices and internal lab environments remain heavily reliant on it, making this 9.8 CVSS severity bug a massive threat in 2026.

 

Patch by upgrading GNU InetUtils telnetd to a fixed release (commonly referenced as 2.8+), or apply the upstream fixes released Jan 20, 2026; if you can’t patch immediately, disable telnetd and/or block TCP/23 from untrusted networks. This CVE is also flagged by NVD as being in CISA’s Known Exploited Vulnerabilities catalog, so treat it as an active-risk item.

Who is affected

CVE-2026-24061 affects GNU InetUtils telnetd versions 1.9.3 through 2.7 and allows remote authentication bypass via a “-f root” value for the USER environment variable. Ubuntu’s advisory notes the vulnerable component is the telnetd server and reiterates that Telnet is insecure by design and strongly discouraged