Elastic Security Detection Rules

Potential Telnet Authentication Bypass (CVE-2026-24061)

Last updated 10 days ago on 2026-01-24
Created 10 days ago on 2026-01-24

About

Identifies potential exploitation of a Telnet remote authentication bypass vulnerability (CVE-2026-24061) in GNU Inetutils telnetd. The vulnerability allows unauthenticated access by supplying a crafted `-f <username>` value via the `USER` environment variable, resulting in a login process spawned with elevated privileges.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Initial AccessTactic: Lateral MovementUse Case: VulnerabilityData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
critical
Risk Score
99
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

Exploitation of Remote Services (T1210)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-endpoint.events.process*logs-crowdstrike.fdr*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and
  process.name == "login" and process.parent.name == "telnetd" and process.args : "-*f*"

Install detection rules in Elastic Security

Detect Potential Telnet Authentication Bypass (CVE-2026-24061) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).