CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Feb 16, 2026
Description
GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.
EPSS — Exploit Probability
Higher than 98.9% of all CVEs
Required Action
This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://cgit.git.savannah.gnu.org/cgit/inetutils.git ; https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc; https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b ; https://nvd.nist.gov/vuln/detail/CVE-2026-24061
Related Articles (2)
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More
Weekly cybersecurity recap covering active exploits, AI abuse, exposed cloud assets, critical CVEs, and evolving threat trends.
Mar 2, 2026
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23
CVE-2026-32746 exposes telnetd via pre-auth flaw (CVSS 9.8), enabling root RCE through port 23, risking full system takeover.
Mar 18, 2026
Risk Assessment
HIGHDetails
- Severity
- High
- EPSS
- 75.3%
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 2
Timeline
Published
Jan 26, 2026
Added to KEV
Jan 26, 2026
Remediation Due
Feb 16, 2026