Moxa Moxa’s Response Regarding Remote Authentication Bypass in GNU Inetutils Telnetd (CVE-2026-24061)

Act NowMPSA-267181Mar 9, 2026

Moxa

Summary

CVE-2026-24061 is a remote authentication bypass in telnetd from GNU Inetutils through version 2.7. An attacker can bypass telnetd login by setting the USER environment variable to "-f root", resulting in unauthenticated root access to the device. This vulnerability affects all versions of Moxa's Response product that include this vulnerable telnetd component.

What this means

What could happen

An attacker can bypass telnetd authentication and gain root-level access to Moxa devices, allowing them to execute arbitrary commands and alter industrial operations or extract sensitive configuration data.

Who's at risk

Operators of Moxa industrial devices (terminal servers, managed switches, cellular gateways, and other networked Moxa equipment) that run GNU Inetutils telnetd should consider this critical. Any site using telnetd for remote access to Moxa equipment is at immediate risk. Water treatment facilities, electrical substations, and manufacturing plants with Moxa-based remote access systems are particularly vulnerable.

How it could be exploited

An attacker connects to the telnetd service (typically port 23) and sets the USER environment variable to "-f root" before authentication. This tricks telnetd into accepting the connection without validating credentials, granting the attacker root shell access to the device.

Prerequisites

Network access to telnetd service (TCP port 23)
Telnetd service must be enabled and listening
Ability to send environment variable data during telnetd connection

Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)High EPSS score (87%)No patch availableAffects OT network access and device management

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Moxa’s Response Regarding Remote Authentication Bypass in GNU Inetutils Telnetd (CVE-2026-24061)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDImmediately disable telnetd service on all Moxa devices if not required for operations

HARDENINGRestrict network access to telnetd port (23) using firewall rules—allow only from trusted engineering workstations or jump servers

HARDENINGMonitor logs for telnetd connection attempts and failed authentication; escalate any successful root-level logins for investigation

HOTFIXContact Moxa for patched firmware; apply as soon as available in a maintenance window

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGReplace telnetd with SSH for remote management; SSH does not have this vulnerability

CVEs (1)

CVE-2026-24061

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/42114eb6-77e4-4d7c-a14a-cd447353b943

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.