Telnet Authentication Bypass via User Environment Variable

Last updated 8 days ago on 2026-01-26

Created 8 days ago on 2026-01-26

About

Identifies potential exploitation of a Telnet remote authentication bypass vulnerability (CVE-2026-24061) in GNU Inetutils telnetd. The vulnerability allows unauthenticated access by supplying a crafted `-f <username>` value via the `USER` environment variable, resulting in a login process spawned with elevated privileges.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Initial AccessTactic: Lateral MovementUse Case: VulnerabilityData Source: Auditd ManagerLanguage: eql

Severity

critical

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

↳ Exploitation of Remote Services (T1210)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: auditbeat-*logs-auditd_manager.auditd-*
Related Integrations: auditd_manager(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by host.id with maxspan=1s
 [process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "telnetd"] by process.pid
 [process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "login" and process.args : "-*f*"] by process.parent.pid

Install detection rules in Elastic Security

Detect Telnet Authentication Bypass via User Environment Variable in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).