11 Year Old LInux Bug Allows Root Access - Cybersecurity Today

Episode Overview

Podcast: Cybersecurity Today
Episode Title: 11 Year Old Linux Bug Allows Root Access
Host: David Shipley
Release Date: January 23, 2026

In this episode, host David Shipley provides updates on the latest cybersecurity threats and incidents affecting businesses. Key topics include new attacks on Fortinet firewalls, the discovery and implications of a critical 11-year-old Linux vulnerability, the rare courtroom outcome of a ransomware case, and widespread credential leaks in the retail sector. Shipley highlights the technical details, ongoing threats, and broader security implications for organizations.

Major Discussion Points & Insights

1. Ongoing Breaches of Fortinet Firewalls

Incident: Fortigate firewall devices are under active attack, with adversaries creating rogue accounts, gaining VPN access, and quickly exporting configuration files.
Attack Characteristics:
- Campaign began January 15, 2026
- Attacks linked to Fortinet’s single sign-on (SSO) feature
- Automated attacks progressing at high speed ([00:30])
Vulnerability Questions:
- Unclear if existing patches address all exploited vulnerabilities
- Patch bypass suspected as even up-to-date systems are affected
Official Response:
- CISA forces agencies to patch rapidly
- Fortinet has not commented on latest events
Quote (David Shipley):

“The speed of the activity strongly suggests automation rather than manual intrusion.” ([00:39])
Broader Concern:
- Mirrors prior authentication bypass flaws in Fortinet’s software
- Customers urged to monitor for suspicious activity, even on patched systems

2. 11-Year-Old Linux TelnetD Vulnerability (CVE-2026-24061)

Vulnerability Details:
- Found in GNU INET UTILS ‘telnetd’ daemon
- Present since a code change in March 2015, unnoticed for nearly 11 years ([01:23])
- Score: CVSS 9.8/10 (critical)
- Allows attackers to bypass authentication and login as root
- All versions from 2015 through 2026 are affected
Technical Cause:
- Telnetd passes unsanitized user variables directly to the system login process
- Specially crafted input skips all authentication checks
Current Threat Activity:
- “Active scanning and exploitation attempts already underway, originating from multiple countries.” ([02:10])
- All detected sources flagged as malicious
Mitigation:
- Disable TelnetD entirely
- Restrict access to Telnet ports
- Apply distribution/firewall vendor patches as they become available
Quote (David Shipley):

“The vulnerability was introduced by a code change in March 2015 and remained undetected until it was responsibly disclosed earlier this month.” ([01:43])

3. Ransomware Boss Pleads Guilty in Unusual Court Outcome

Story Overview:
- Russian national Iannis Alexandrovich Andropenko pled guilty to leading a ransomware operation from the US
- Activities spanned at least 50 victims over four years
- Charges: conspiracy to commit computer fraud/abuse, money laundering
- Noteworthy for having conducted many cyberattacks while openly residing in Florida and California ([03:13])
Legal Developments:
- Granted rare pretrial release after arrest in 2024
- Violated release with substance abuse–related arrests
- Faces up to 25 years in prison, fines, restitution, and asset forfeiture
- Seized assets: millions in crypto, cash, and luxury vehicles
Quote (David Shipley):

“What sets this case [apart] is that Andropenko conducted many of his attacks while living openly in Florida and California.” ([03:34])
Current Status:
- Sentencing not yet scheduled

4. Widespread Credential Leaks in Retail and Supply Chain Sector

Key Findings:
- New report reveals:
  - 70%+ of major retailers
  - Nearly 60% of wholesalers
  - Over half of supply chain organizations
  - ...have login credentials exposed online ([04:29])
Security Implications:
- Exposed credentials enable account takeovers, lateral moves, and supply chain compromises
- Retail and wholesale operations are “large, interconnected technology ecosystems,” so an account breach can affect partners and logistics systems
- Persistent problems with credential hygiene, password reuse, and third-party access management
Quote (David Shipley):

“The findings underscore persistent weaknesses in credential hygiene, password reuse and third party access management issues that continue to fuel breaches across the sector.” ([05:08])

Notable Quotes & Memorable Moments

On automated attacks:

“The speed of the activity strongly suggests automation rather than manual intrusion.”
— David Shipley ([00:39])
On the Linux bug’s longevity:

“The vulnerability was introduced by a code change in March 2015 and remained undetected until it was responsibly disclosed earlier this month.”
— David Shipley ([01:43])
On ransomware operator’s unusual lifestyle:

“What sets this case [apart] is that Andropenko conducted many of his attacks while living openly in Florida and California.”
— David Shipley ([03:34])
On the scale of credential exposures:

“The findings underscore persistent weaknesses in credential hygiene, password reuse and third party access management issues that continue to fuel breaches across the sector.”
— David Shipley ([05:08])

Timestamps for Important Segments

| Topic | Timestamp | |--------------------------------------|:-------------:| | Fortinet firewall attacks | 00:19–01:18 | | Discovery of 11-year-old Linux bug | 01:18–02:33 | | Ransomware boss courtroom case | 02:33–03:58 | | Retail credential exposure report | 03:58–05:35 |

Summary Takeaways

Stay vigilant even when systems are patched—attackers are quickly shifting tactics and targeting single sign-on vulnerabilities.
Legacy protocols like TelnetD remain dangerous if left enabled, especially with such longstanding, severe bugs.
Credential management culture is still lagging—password exposures remain the easiest route for attackers into complex supply chains.
Law enforcement is making rare headway in ransomware cases, but attackers still exploit legal loopholes and operational blind spots.

David Shipley’s delivery balances clear technical explanation with urgent warnings, making this episode valuable listening for IT and security professionals who need to stay ahead of rapidly evolving threats.

Transcript

A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.

B (0:19)

Fortinet firewalls breached, an 11 year old Linux bug opens up root access, a ransomware boss pleads guilty and leaked passwords are everywhere in retune. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Our first story is another serious incident involving Fortinet Fortigate firewalls, and it's still developing. Security firm Arctic Wolf reports automated attacks targeting Fortigate devices where attackers are creating rogue accounts, granting themselves VPN access, and exporting firewall configuration files within seconds. The campaign began January 15th and appears to exploit an unknown vulnerability tied to Fortigate's single sign on feature. The speed of the activity strongly suggests automation rather than manual intrusion. What's especially concerning is that the attacks closely resemble activity observed last month following the disclosure of a critical Fortinet authentication bypass flaw that allowed attackers to bypass SSO protections entirely. At this stage, it's unclear whether the current attacks are fully addressed by existing patches or whether attackers are exploiting a patch bypass. Multiple Fortinet customers report suspicious activity even on systems believed to be up to date. CISA previously added the related vulnerability to its known Exploited Vulnerabilities catalog, ordering federal agencies to patch within days. Fortinet has not yet publicly commented on this latest wave of attacks. Our second story involves a critical Linux vulnerability that went unnoticed for nearly 11 years. A flaw in the GNU INET UTILS telnet Daemon, tracked as CVE202624061, allows attackers to bypass authentication and log in directly as root. The vulnerability carries a CVSS score of 9.8 out of 10 and affects all versions of GNU Inet Utils from 2015 through 2026. The issue stems from improper handling of the user environment variable. TelnetD passes user supplied values directly to the system login process without sanitization. A specially crafted value causes the login process to skip authentication entirely. The vulnerability was introduced by a code change in March 2015 and remained undetected until it was responsibly disclosed earlier this month. Threat intelligence shows active scanning and exploitation attempts already underway, originating from multiple countries. All observed sources have been flagged as malicious. Mitigations include disabling TelnetD entirely, restricting access to Telnet ports, and applying any vendor patches as Linux distributions release them Our third story brings a rare courtroom conclusion to a ransomware case, and it's an unusual one. A Russian national living in the United States has pleaded guilty to leading a ransomware operation that targeted at least 50 victims over a four year period. Iannis Alexandrovich Andropenko admitted to conspiracy to commit computer fraud and abuse, as well as conspiracy to commit money laundering. He faces up to 25 years in US prison, significant fines, restitution to victims and asset forfeiture. What sets this case is that Andropentico conducted many of his attacks while living openly in Florida and California. After his arrest in 2024, he was granted pre trial release, a rare decision in ransomware cases. Court records show repeated violations of his release conditions, including arrests related to substance abuse. Investigators linked his activity to multiple ransomware strains with confirmed losses of at least 1.5 million. Seized assets include millions in cryptocurrency, cash and luxury vehicles. Sentencing has not yet been scheduled. Our final story today highlights widespread credential exposure across the retail sector. A new industry report finds more than 70% of major retailers, nearly 60% of wholesalers, and over half of supply chain organizations have exposed login credentials visible online. Exposed credentials remain one of the most reliable entry points for attackers, enabling account takeover, lateral movement and supply chain compromise. Retail and wholesale organizations rely on large interconnected technology ecosystems, meaning a single compromised account can cascade across vendors, partners and logistics systems. The findings underscore persistent weaknesses in credential hygiene, password reuse and third party access management issues that continue to fuel breaches across the sector. I've been your host, David Shipley. That's the News for Friday, January 23rd. I'll be back on the news desk on Monday. If you enjoy the show, please tell others. Consider leaving a review and remember to like and subscribe. We'd love to continue to reach more people and we need your help. Thanks for listening.