Potential Telnet Authentication Bypass (CVE-2026-24061)

  1[metadata]
  2creation_date = "2026/01/24"
  3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/01/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential exploitation of a Telnet remote authentication bypass vulnerability (CVE-2026-24061) in GNU Inetutils
 11telnetd. The vulnerability allows unauthenticated access by supplying a crafted `-f <username>` value via the `USER` environment
 12variable, resulting in a login process spawned with elevated privileges.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-endpoint.events.process*",
 18    "logs-crowdstrike.fdr*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential Telnet Authentication Bypass (CVE-2026-24061)"
 24note = """## Triage and analysis
 25
 26### Investigating Potential Telnet Authentication Bypass (CVE-2026-24061)
 27
 28CVE-2026-24061 is a critical authentication bypass vulnerability affecting `telnetd` in GNU Inetutils. By supplying a
 29crafted `-f root` value through the USER environment variable, a remote attacker can bypass authentication and gain
 30unauthorized root-level access. This exploit results in the `login` process being executed with attacker-controlled
 31arguments, typically spawned by `telnetd` or via `xinetd`.
 32
 33This rule detects suspicious `login` executions associated with Telnet services that include the `-f` flag, which
 34forces authentication as a specified user and is indicative of exploitation attempts.
 35
 36#### Possible investigation steps
 37
 38- Investigate the process execution chain (parent process tree) for the suspicious `login` process.
 39  - Confirm whether `login` was spawned by `telnetd` or indirectly via `xinetd`.
 40  - Review the command-line arguments passed to `login`, paying special attention to the presence of `-f` and any
 41    attempts to authenticate as `root` or other privileged users.
 42- Validate whether the Telnet service is expected to be running on the affected host.
 43  - Telnet is deprecated and should rarely be exposed or enabled in modern environments.
 44- Investigate post-authentication activity originating from the compromised session.
 45  - Look for command execution, file modifications, privilege escalation attempts, or persistence mechanisms.
 46  - Review network connections initiated after the suspicious login event.
 47- Check for additional alerts or suspicious activity on the same host within the past 48 hours.
 48- Determine whether the system is running a vulnerable version of GNU Inetutils telnetd.
 49
 50### False positive analysis
 51
 52- Legitimate use of the `-f` flag with `login` is extremely rare and typically restricted to trusted, local workflows.
 53- False positives may occur in highly customized or legacy environments where Telnet is still in use.
 54- Any benign occurrences should be carefully validated and documented before adding exceptions.
 55
 56### Related Rules
 57
 58- Telnet Authentication Bypass via User Environment Variable - "eb3150eb-e9fb-4a64-a0fc-aa66cdd35632"
 59
 60### Response and remediation
 61
 62- Immediately isolate the affected host to prevent further unauthorized access or lateral movement.
 63- Terminate suspicious Telnet sessions and collect volatile forensic data where possible.
 64- Investigate for signs of credential access, persistence, or follow-on exploitation.
 65- Patch or upgrade GNU Inetutils to a version that addresses CVE-2026-24061.
 66- Disable the Telnet service entirely if it is not explicitly required.
 67- Enforce the use of secure alternatives such as SSH for remote administration.
 68- Rotate credentials for any accounts that may have been exposed or accessed.
 69- Perform a full system integrity review and antimalware scan.
 70- Update hardening, monitoring, and logging policies to improve detection of legacy remote access abuse.
 71"""
 72references = [
 73    "https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/",
 74    "https://security-tracker.debian.org/tracker/CVE-2026-24061"
 75]
 76risk_score = 99
 77rule_id = "ab7795cc-0e0b-4f9d-a934-1f17a58f869a"
 78severity = "critical"
 79tags = [
 80    "Domain: Endpoint",
 81    "OS: Linux",
 82    "Use Case: Threat Detection",
 83    "Tactic: Initial Access",
 84    "Tactic: Lateral Movement",
 85    "Resources: Investigation Guide",
 86    "Use Case: Vulnerability",
 87    "Data Source: Elastic Defend",
 88    "Data Source: Elastic Endgame",
 89    "Data Source: Crowdstrike",
 90    "Data Source: SentinelOne"
 91]
 92timestamp_override = "event.ingested"
 93type = "eql"
 94
 95query = '''
 96process where host.os.type == "linux" and event.type == "start" and
 97  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and
 98  process.name == "login" and process.parent.name == "telnetd" and process.args : "-*f*"
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1190"
106name = "Exploit Public-Facing Application"
107reference = "https://attack.mitre.org/techniques/T1190/"
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1210"
118name = "Exploitation of Remote Services"
119reference = "https://attack.mitre.org/techniques/T1210/"
120
121
122[rule.threat.tactic]
123id = "TA0008"
124name = "Lateral Movement"
125reference = "https://attack.mitre.org/tactics/TA0008/"