{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-28372", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-27T05:28:17.221Z", "datePublished": "2026-02-27T05:28:17.383Z", "dateUpdated": "2026-03-07T17:05:13.869Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "inetutils", "vendor": "GNU", "versions": [{"lessThanOrEqual": "2.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T05:32:11.770Z"}, "references": [{"url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html"}, {"url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=3953943d8296310485f98963883a798545ab9a6c"}, {"url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00012.html"}, {"url": "https://www.openwall.com/lists/oss-security/2026/02/24/1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28372"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T04:55:14.892Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/06/2"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/06/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/07/1"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/07/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-07T17:05:13.869Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/06/2"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/06/3"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/07/1"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/07/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-07T17:05:13.869Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28372", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T16:12:52.978471Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:46:16.592Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GNU", "product": "inetutils", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.7"}], "defaultStatus": "unknown"}], "references": [{"url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html"}, {"url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=3953943d8296310485f98963883a798545ab9a6c"}, {"url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00012.html"}, {"url": "https://www.openwall.com/lists/oss-security/2026/02/24/1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T05:32:11.770Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28372", "state": "PUBLISHED", "dateUpdated": "2026-03-07T17:05:13.869Z", "dateReserved": "2026-02-27T05:28:17.221Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-27T05:28:17.383Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:*", "matchCriteriaId": "6381CFAE-9A10-40ED-BC93-1DB55CB44327", "versionEndIncluding": "2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file."}, {"lang": "es", "value": "telnetd en GNU inetutils hasta la versi\u00f3n 2.7 permite la escalada de privilegios que puede ser explotada al abusar del soporte de credenciales de servicio de systemd a\u00f1adido a la implementaci\u00f3n de login(1) de util-linux en la versi\u00f3n 2.40. Esto est\u00e1 relacionado con el control del cliente sobre la variable de entorno CREDENTIALS_DIRECTORY, y requiere que un usuario local sin privilegios cree un archivo login.noauth."}], "id": "CVE-2026-28372", "lastModified": "2026-03-07T17:15:51.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T06:18:00.077", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=3953943d8296310485f98963883a798545ab9a6c"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00012.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/02/24/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/27/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/06/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/06/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/07/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/07/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "inetutils", "source": "cna", "vendor": "GNU"}, "product": "inetutils", "vendor": "gnu"}], "analysis": {"en": {"generated_at": "2026-04-16T15:32:50.018397+00:00", "value": {"mitigation_remediation": ["Update GNU inetutils to a version that includes the telnetd fix\u2014typically 2.8 or later if available.", "Modify the permissions of the systemd credential directory to prevent writes by non\u2011privileged users and remove any unused login.noauth files.", "Disable or restrict access to telnetd if it is not required for operations, or replace it with a more secure service such as SSH."], "summary": {"action": "Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is GNU; the product is inetutils. All releases of inetutils up to and including version 2.7 are impacted, as indicated by the phrase \"through 2.7\" in the advisory. No specific later versions are mentioned, implying that versions newer than 2.7 are presumed to be unaffected once the patch is applied.", "description_and_impact": "Telnetd in GNU inetutils through version 2.7 contains a flaw that allows an unprivileged local user to gain higher privileges. The vulnerability arises when the client can influence the CREDENTIALS_DIRECTORY environment variable used by the systemd service credentials support introduced in util\u2011linux 2.40. By creating a login.noauth file, the attacker can exploit the privilege escalation path. The weakness is identified as CWE\u2011829, an improper restriction of privileges. This flaw enables the attacker to obtain root or administrative privileges on the host, compromising confidentiality, integrity, and availability of system resources.", "risk_and_exploitability": "The CVSS score of 7.4 indicates a high severity vulnerability. The EPSS score of less than 1% points to a very low probability of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires a local user able to create a login.noauth file and manipulate the CREDENTIALS_DIRECTORY variable, so the attack vector is local. The risk is therefore significant for environments that run telnetd or grant local users the ability to write to the credential directory."}}}}, "created": "2026-02-27T16:06:12.105610+00:00", "title": "Privilege Escalation via Telnetd and Systemd Credentials", "updated": "2026-04-16T15:45:16.065513+00:00", "vendors": ["gnu", "gnu$PRODUCT$inetutils"]}