A severe security vulnerability has been identified in the GNU InetUtils telnet daemon (telnetd) that remained undetected for almost 11 years. Designated as CVE-2026-24061, the flaw carries a CVSS score of 9.8, indicating critical severity. The issue affects all GNU InetUtils releases from version 1.9.3 through 2.7.
According to the NIST National Vulnerability Database (NVD), the vulnerability allows a remote authentication bypass by abusing a specially crafted USER environment variable value of -f root.
GNU contributor Simon Josefsson explained in a post to the oss-security mailing list that the flaw can be exploited to obtain root-level access to a vulnerable system.
The issue arises because the telnetd service invokes /usr/bin/login which typically runs with root privileges and passes the USER environment variable received from the client as its final argument. If a client supplies a malicious USER value of -f root and uses the telnet command with the -a or --login option to forward this variable, the server will automatically log the user in as root without requiring authentication.
This behavior occurs because telnetd fails to sanitize the USER environment variable before passing it to login(1). The login program interprets the -f option as a directive to bypass standard authentication checks, resulting in an authentication bypass.
Josefsson noted that the vulnerability was introduced in a source code commit dated March 19, 2015, which was later included in the GNU InetUtils 1.9.3 release on May 12, 2015. The flaw was discovered and responsibly reported on January 19, 2026, by security researcher Kyu Neushwaistein, also known as Carlos Cortes Alvarez.
To mitigate the risk, users are strongly advised to apply the latest security patches and limit network access to the telnet service to trusted clients only. As temporary countermeasures, administrators can disable the telnetd service entirely or configure InetUtils telnetd to use a custom login(1) implementation that does not support the -f option.
Threat intelligence data from GreyNoise indicates active exploitation attempts. Over the past 24 hours, 21 distinct IP addresses have been observed attempting to exploit the vulnerability to perform remote authentication bypass attacks. These IPs originate from Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand, and all have been classified as malicious.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
