CVE-2026-28372: Critical Flaw in GNU inetutils Telnetd Lets Local Users Escalate to Root Without Authentication

Aegiron 9 mins0

GNU inetutils telnetd Privilege Escalation Vulnerability

  • CVE ID: CVE-2026-28372
  • Component Affected: GNU inetutils telnetd
  • Vulnerability Type: Local Privilege Escalation
  • CVSS v3.1 Score: 7.8 (High)
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Impact: High Confidentiality, Integrity, and Availability impact
  • Exploit Availability: Public proof-of-concept available (educational/research context)
  • Exploit Maturity: Functional PoC demonstrated

Executive Summary

A privilege escalation issue was identified in GNU inetutils telnetd due to improper handling of environment variables and system credential logic introduced in newer util-linux versions. The vulnerability allows a locally authenticated user to escalate privileges to root by manipulating how the login program processes service credentials.

The issue stems from insufficient validation of environment variables passed during a telnet session, particularly the CREDENTIALS_DIRECTORY variable used by systemd-integrated login mechanisms. When combined with a crafted login.noauth file placed in a controlled directory, authentication checks can effectively be bypassed, resulting in a root shell.

This issue is considered high severity because it enables full system compromise from a low-privileged local account.

Technical Root Cause

The vulnerability is triggered due to the following chain of behavior:

  1. util-linux introduced support for systemd service credentials, allowing login to read authentication data from a directory defined by CREDENTIALS_DIRECTORY.
  2. telnetd fails to properly sanitize or restrict certain environment variables during session initialization.
  3. An attacker is able to influence or control the CREDENTIALS_DIRECTORY value.
  4. A specially crafted file named login.noauth is placed inside that directory.
  5. When login executes, it interprets the presence of this file as an instruction to bypass normal authentication logic.
  6. A privileged session is granted without valid credentials.

The weakness falls under improper trust boundary enforcement and unsafe inclusion of functionality from an untrusted control sphere.

Affected Systems

Systems are affected if all of the following conditions are true:

  • GNU inetutils telnetd is installed and active.
  • A vulnerable version of inetutils is in use (prior to upstream fix).
  • util-linux includes the systemd credential support feature.
  • A local attacker has the ability to create files and initiate a telnet session.

Modern hardened systems typically do not run telnet services by default. However, legacy systems, embedded devices, lab environments, and internal management systems may still expose this service.

Exploitation Scenario (Educational)

The exploitation flow generally follows these steps:

  1. A low-privileged user creates a writable directory.
  2. Inside that directory, a file named login.noauth is created.
  3. The CREDENTIALS_DIRECTORY environment variable is manipulated to point to this directory.
  4. A telnet session is initiated locally or through the system.
  5. telnetd launches login, which processes the manipulated credential directory.
  6. Authentication is bypassed.
  7. A root shell is obtained.

No password cracking or brute force is required. No race condition or timing attack is involved. The exploitation process is deterministic and reliable once environmental conditions are satisfied.

Impact Assessment

If exploited successfully:

  • Full root access is obtained.
  • System configuration can be altered.
  • Sensitive data can be accessed or exfiltrated.
  • Persistence mechanisms can be deployed.
  • Logs can be erased or manipulated.
  • Lateral movement may follow.

Because the vulnerability requires local access, it is frequently chained with another weakness such as:

  • Weak SSH credentials
  • Web application command injection
  • Compromised user account
  • Container breakout

Indicators of Compromise

The following artifacts may indicate attempted or successful exploitation:

  • Presence of login.noauth in unusual directories.
  • Creation of temporary credential directories by non-root users.
  • telnetd spawning /bin/login followed by immediate privileged shell.
  • Root session creation without corresponding authentication log entries.
  • Abnormal environment variables associated with login processes.

Log Sources for Detection

Monitoring should include:

  • /var/log/auth.log
  • /var/log/secure
  • /var/log/syslog
  • systemd journal (journalctl)
  • /var/log/audit/audit.log
  • EDR process telemetry
  • File integrity monitoring logs

Detection Rules and Queries

Auditd Rule (File Creation Monitoring)

-w /run -p wa -k cred_watch
-w /tmp -p wa -k cred_watch
-w /var/tmp -p wa -k cred_watch

Search logs:

ausearch -k cred_watch | grep login.noauth

Auditd Rule (Execution Monitoring)

-a always,exit -F arch=b64 -S execve -F path=/bin/login -k login_exec

Search:

ausearch -k login_exec

Look for:

  • Parent process: telnetd
  • UID not equal to 0
  • Suspicious environment variables

Splunk Detection Query

index=linux_logs ("login.noauth" OR "telnetd" OR "/bin/login")
| stats count by host user process command_line parent_process
| where parent_process="telnetd"

Elastic (KQL)

process.name : "login" and process.parent.name : "telnetd"

Add filter for non-root user context.

OSQuery Detection

SELECT *
FROM processes
WHERE name = 'login'
AND parent IN (SELECT pid FROM processes WHERE name = 'telnetd');

File System Hunt

find / -name login.noauth -type f 2>/dev/null

Any hit should be investigated immediately.

Mitigation and Remediation

Immediate Actions

  • Disable telnet service if not absolutely required: systemctl stop telnet.socket
    systemctl disable telnet.socket
  • Remove inetutils-telnetd package where possible.
  • Restrict local user access.

Permanent Fix

Upgrade GNU inetutils to the patched version.

Official Upstream Patch:
https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386

Apply vendor-supplied security updates where available.

Hardening Recommendations

  • Replace telnet with SSH.
  • Enable full auditd logging.
  • Enforce strict environment variable sanitization.
  • Use AppArmor or SELinux confinement.
  • Monitor world-writable directories.
  • Implement least privilege access controls.
  • Restrict interactive shell access.

MITRE ATT&CK Mapping

  • Tactic: Privilege Escalation
  • Technique: Exploitation for Privilege Escalation (T1068)
  • CWE: CWE-829 – Inclusion of Functionality from Untrusted Control Sphere

Risk Evaluation

Although this is a local vulnerability, its impact is severe. In environments where multiple users share systems or where low-privilege compromise is common, this issue significantly reduces the barrier to full system takeover.

Any organization still operating telnet services should treat this as high priority.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.