A serious security flaw has been revealed in the GNU InetUtils Telnet daemon (telnetd) that went unnoticed for nearly 11 years.
This vulnerability is tracked as CVE-2026-24061 and is rated 9.8 out of 10.0 on the CVSS scoring system. This affects all versions of GNU InetUtils from version 1.9.3 to version 2.7.
“Telnetd in GNU Inetutils 2.7 and later allows remote authentication bypass via the ‘-f root’ value of the USER environment variable,” according to the flaw description in the NIST National Vulnerability Database (NVD).
In a post to the oss-security mailing list, GNU contributor Simon Josefsson stated that this vulnerability could be exploited to gain root access to the target system.
The telnetd server calls /usr/bin/login (usually run as root) and passes the value of the USER environment variable received from the client as the last parameter.
If supplied by the client [sic] A carefully crafted USER environment value is the string “-f root”, and if you pass the telnet(1) -a or –login parameter to send this USER environment to the server, the client will automatically log in as root, bypassing the normal authentication process.
This occurs because the telnetd server is running. [sic] Rather than sanitizing the USER environment variable before passing it to login(1), login(1) uses the -f parameter to bypass normal authentication.
Josefsson also noted that the vulnerability was introduced as part of a source code commit on March 19, 2015, which ultimately led to the version 1.9.3 release on May 12, 2015. Security researcher Ky Neushwaistein (aka Carlos Cortes Alvarez) is credited with discovering and reporting the flaw on January 19, 2026.
As a mitigation, we recommend applying the latest patches and restricting network access to Telnet ports to trusted clients. As a temporary workaround, users can disable the telnetd server or have InetUtils telnetd use a custom login(1) tool that does not allow the use of the “-f” parameter, Josefsson added.
According to data collected by threat intelligence firm GreyNoise, over the past 24 hours, 21 unique IP addresses have been observed attempting to leverage this flaw to perform remote authentication bypass attacks. All IP addresses originating from Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand are flagged as malicious.
Source link
