A vital safety flaw has been disclosed within the GNU InetUtils telnet daemon (telnetd) that went unnoticed for practically 11 years.
The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It impacts all variations of GNU InetUtils from model 1.9.3 as much as and together with model 2.7.
“Telnetd in GNU Inetutils by 2.7 permits distant authentication bypass by way of a ‘-f root’ worth for the USER setting variable,” in accordance with an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD).
In a put up on the oss-security mailing listing, GNU contributor Simon Josefsson mentioned the vulnerability could be exploited to realize root entry to a goal system –
The telnetd server invokes /usr/bin/login (usually operating as root) passing the worth of the USER setting variable acquired from the consumer because the final parameter.
If the consumer provide [sic] a rigorously crafted USER setting worth being the string “-f root”, and passes the telnet(1) -a or –login parameter to ship this USER setting to the server, the consumer will probably be mechanically logged in as root bypassing regular authentication processes.
This occurs as a result of the telnetd server do [sic] not sanitize the USER setting variable earlier than passing it on to login(1), and login(1) makes use of the -f parameter to by-pass regular authentication.
Josefsson additionally famous that the vulnerability was launched as a part of a supply code commit made on March 19, 2015, which finally made it to model 1.9.3 launch on Could 12, 2015. Safety researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026.
As mitigations, it is suggested to use the newest patches and limit community entry to the telnet port to trusted purchasers. As momentary workarounds, customers can disable telnetd server, or make the InetUtils telnetd use a customized login(1) device that doesn’t allow use of the ‘-f’ parameter, Josefsson added.
Knowledge gathered by menace intelligence agency GreyNoise reveals that 21 distinctive IP addresses have been noticed trying to execute a distant authentication bypass assault by leveraging the flaw over the previous 24 hours. All of the IP addresses, which originate from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious.
