The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4453 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4453-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Andreas Henriksson     January 25, 2026                              https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : inetutils     Version        : 2:2.0-1+deb11u3     CVE ID         : CVE-2026-24061     Debian Bug     : 1126047

    Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils,     a collection of common network programs, was vulnerable to an authentication     bypass problem in telnetd, which could lead to remote root shell access (if     telnetd is enabled and exposed).

    As described also in the GNU InetUtils security advisory, it is not     recommended to run telnetd server at all. At a minimum, restrict network     access to the telnet port to trusted clients only. There is after all no     encryption built into the telnet protocol, so authentication details would     be sent in plain text over the network (which thus needs to be trusted).

    For more details see the GNU InetUtils Security Advisory:
    https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

    For Debian 11 bullseye, this problem has been fixed in version     2:2.0-1+deb11u3.

    We recommend that you upgrade your inetutils packages.

    For the detailed security status of inetutils please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/inetutils

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dla-4453 : inetutils - security update

critical Nessus Plugin ID 296511

Version 1.5

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.5 Feb 12, 2026, 3:03 PM Exploit attributes ("Exploit framework metasploit" set to "True") Plugin Feed: 202602121503
Version 1.4 Feb 11, 2026, 1:22 AM Plugin metadata Plugin Feed: 202602110122
Version 1.3 Feb 3, 2026, 2:33 PM Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202602031433
Version 1.2 Jan 27, 2026, 5:22 AM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Plugin Feed: 202601270522
Version 1.1 Jan 25, 2026, 5:54 AM New Plugin Feed: 202601250554