CVE-2026-24061

GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061)

Lateral Movement Command and Control Privilege Escalation Last updated:

CVE-2026-24061 is an argument injection vulnerability (CWE-88) in GNU InetUtils affecting utilities such as telnet, ftp, rsh, rcp, and related tools. An attacker who can control arguments passed to InetUtils binaries may inject additional command-line options, potentially enabling unauthorized network access, privilege escalation, or lateral movement. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
GNU
Product
InetUtils

Weakness (CWE)

CWE-88

Timeline

Disclosed
January 26, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-24061 GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061)?

GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061) (CVE-2026-24061) maps to the Lateral Movement and Command and Control and Privilege Escalation tactics — the adversary is trying to move through your environment in MITRE ATT&CK.

This page provides production-ready detection logic for GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061), covering the data sources and telemetry it touches: DeviceProcessEvents, Syslog, SecurityEvent. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Lateral Movement Command and Control Privilege Escalation
Microsoft Sentinel / Defender
kusto 
let InetUtilsBinaries = dynamic(["telnet", "ftp", "rsh", "rcp", "rlogin", "tftp", "ping", "traceroute"]);
DeviceProcessEvents
| where FileName in~ (InetUtilsBinaries) or ProcessCommandLine has_any (InetUtilsBinaries)
| where ProcessCommandLine matches regex @"(?i)(\s-[a-zA-Z]{1,3}\s*=|\\x[0-9a-fA-F]{2}|%0[aAdD]|\\n|\\r|;\s*(bash|sh|nc|curl|wget|python|perl))"
| extend SuspiciousArg = extract(@"(\S*(?:-[a-zA-Z]=|%0[aAdD]|;\s*\S+)\S*)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SuspiciousArg, FolderPath
| union (
    Syslog
    | where Facility == "auth" or SyslogMessage has_any (InetUtilsBinaries)
    | where SyslogMessage matches regex @"(?i)(telnet|ftp|rsh|rcp|rlogin).*(-[a-zA-Z]+=|;\s*(bash|sh|nc|curl|wget))"
    | project TimeGenerated, Computer, SyslogMessage
)
| order by TimeGenerated desc

Detects suspicious argument injection patterns in GNU InetUtils binaries (telnet, ftp, rsh, rcp, rlogin, etc.) by identifying command lines containing option-injection sequences, shell metacharacters, or unusual flag combinations that may exploit CVE-2026-24061.

high severity medium confidence

Data Sources

DeviceProcessEvents Syslog SecurityEvent

Required Tables

DeviceProcessEvents Syslog

False Positives

  • Legitimate network administrators using InetUtils with complex argument strings for scripted network diagnostics
  • Automated configuration management tools (Ansible, Chef, Puppet) invoking InetUtils with unusual flags
  • Security scanners or vulnerability assessment tools that exercise InetUtils argument parsing
  • Legacy application wrappers that pass concatenated argument strings to InetUtils binaries

Sigma rule & cross-platform mapping

The detection logic for GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061) (CVE-2026-24061) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-24061 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-24061

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1InetUtils telnet argument injection via newline encoding

    Expected signal: Auditd EXECVE record showing argv[1] containing a newline character followed by '-l root'; process event logs capturing the raw command-line string with embedded newline.

  2. Test 2InetUtils ftp option-value injection via concatenated argument

    Expected signal: Process execution event showing ftp launched with argument '-o-p', captured by auditd EXECVE or EDR process telemetry.

  3. Test 3InetUtils rsh argument injection leading to shell spawning

    Expected signal: Process launch event for rsh with semicolon-delimited command in arguments; potential child process event for shell spawned to execute 'id'; file creation event for /tmp/argus_injection_test.txt.

Unlock Pro Content

Get the full detection package for CVE-2026-24061 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0008Lateral MovementTA0011Command and ControlTA0004Privilege Escalation

Related Techniques

T1059Command and Scripting InterpreterT1021Remote ServicesT1078Valid Accounts

Same Tactic: Lateral Movement

Popular Detections