A vital security flaw has been disclosed within the GNU InetUtils telnet daemon (telnetd) that went unnoticed for practically 11 years.
The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It impacts all variations of GNU InetUtils from model 1.9.3 as much as and together with model 2.7.
“Telnetd in GNU Inetutils by 2.7 permits distant authentication bypass through a ‘-f root’ worth for the USER surroundings variable,” in response to an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD).
In a submit on the oss-security mailing checklist, GNU contributor Simon Josefsson mentioned the vulnerability may be exploited to achieve root entry to a goal system –
The telnetd server invokes /usr/bin/login (usually operating as root) passing the worth of the USER surroundings variable obtained from the consumer because the final parameter.
If the consumer provide [sic] a rigorously crafted USER surroundings worth being the string “-f root”, and passes the telnet(1) -a or –login parameter to ship this USER surroundings to the server, the consumer will probably be mechanically logged in as root bypassing regular authentication processes.
This occurs as a result of the telnetd server do [sic] not sanitize the USER surroundings variable earlier than passing it on to login(1), and login(1) makes use of the -f parameter to by-pass regular authentication.
Josefsson additionally famous that the vulnerability was launched as a part of a supply code commit made on March 19, 2015, which finally made it to model 1.9.3 launch on Could 12, 2015. Safety researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026.
As mitigations, it is suggested to use the most recent patches and prohibit community entry to the telnet port to trusted shoppers. As momentary workarounds, customers can disable telnetd server, or make the InetUtils telnetd use a customized login(1) device that doesn’t allow use of the ‘-f’ parameter, Josefsson added.
Data gathered by menace intelligence agency GreyNoise exhibits that 21 distinctive IP addresses have been noticed trying to execute a distant authentication bypass assault by leveraging the flaw over the previous 24 hours. All of the IP addresses, which originate from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious.
