CVE-2026-24061: Telnetd Root Shell, Two Independent PoCs, Already in CISA KEV. The Commodity Window Is Open.
- Patrick Duggan
- a few seconds ago
- 3 min read
CVE-2026-24061 is a GNU InetUtils telnetd authentication bypass. The vulnerability lives in how telnetd handles the USER environment variable passed through the Telnet protocol. An unauthenticated remote attacker injects arbitrary command-line flags and gets a root shell. No credentials required.
SafeBreach Labs published the first proof-of-concept. Our exploit harvester caught tc4dy's independently published second PoC shortly after. CISA added CVE-2026-24061 to the Known Exploited Vulnerabilities catalog — active exploitation confirmed.
Two independent PoC repos on an already-KEV vulnerability is the signal. The researcher phase is over. The commodity phase is beginning.
Who Still Runs Telnetd
The obvious answer is nobody. The accurate answer is a lot of people who don't know they do.
GNU InetUtils telnetd ships with or is available on a long list of Linux distributions. It is enabled by default on some embedded Linux images. Network appliances, industrial control systems, legacy servers, IoT devices, and anything built on an older embedded Linux base may have telnetd running — either because it was enabled during deployment, because it was part of a factory image that never got updated, or because an administrator enabled it years ago for "temporary" access and never turned it off.
The internet-exposed attack surface for telnetd is not zero. Shodan consistently finds telnet services exposed on port 23. The devices behind those ports include routers, switches, industrial controllers, NAS devices, cameras, and servers running configurations that haven't been touched in years.
The PoC Graph
SafeBreach Labs published the primary exploitation research — CVE-2026-24061 is their catalog entry with 205 GitHub stars. SafeBreach is a legitimate security company running breach simulation products. They publish offensive research as part of their normal operation.
tc4dy is a different profile. The same account that published the second CVE-2026-24061 PoC also built MinerCadUltimate — a cryptocurrency mining tool — and HuntCat, described as an "enterprise-grade web crawler" that reads more like a network scanner. tc4dy follows nobody on GitHub and publishes tools that span vulnerability research and operational financial exploitation. This is not a pure researcher profile.
The second independent PoC coming from an account with a mining tool in their catalog is a specific signal: someone is mapping the exploitation path for operational use, not academic publication.
The WindowsDowndate Chain
SafeBreach's catalog is worth understanding in full. Alongside CVE-2026-24061 they maintain WindowsDowndate (715 stars) — a tool that takes over Windows Update mechanisms to downgrade a system to a vulnerable prior state — and PoolParty (1275 stars), a collection of fully-undetectable process injection techniques.
The downgrade-then-exploit chain: WindowsDowndate rolls back the target's patch level. CVE-2026-24061 provides unauthenticated root access on the degraded system. PoolParty handles post-exploitation persistence without triggering EDR. These tools were published independently as research. They chain together as an operational kit.
What to Do
If you manage Linux servers, embedded systems, or network devices: check whether telnetd is running. On most Linux systems systemctl status telnet or netstat -tlnp | grep :23 will tell you. If it's running and you don't need it, disable it. If you need remote access, SSH exists.
If you manage a fleet of network appliances or embedded devices where you cannot easily audit telnetd status: assume some percentage have it running and treat any exposure of port 23 to untrusted networks as a critical finding.
The patch is available. GNU InetUtils 2.8 addresses the issue. Federal agencies have a CISA-mandated deadline. Everyone else has a commodity exploitation timeline that starts now.
Sources: NVD — CVE-2026-24061 — SafeBreach-Labs PoC — CISA KEV
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.