A shocking security revelation has emerged, highlighting a critical flaw in the GNU InetUtils telnet daemon that has gone unnoticed for over a decade. Rated at an alarming 9.8 out of 10.0 on the CVSS scale, this vulnerability affects all versions of GNU InetUtils from 1.9.3 to 2.7, leaving systems wide open to attack.
The vulnerability, tracked as CVE-2026-24061, allows remote attackers to bypass authentication and gain root access to target systems. Here's how it works: the telnetd server, when receiving a specially crafted USER environment variable from a client, invokes /usr/bin/login as root, passing this variable as a parameter. If the client supplies the string "-f root" as the USER value and includes the telnet(1) -a or --login parameter, they can automatically log in as root, bypassing standard authentication processes.
This exploit was introduced in a source code commit on March 19, 2015, and has been present in GNU InetUtils since version 1.9.3, released on May 12, 2015. It was only recently discovered and reported by security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) on January 19, 2026.
To mitigate this risk, it is recommended to apply the latest patches and restrict network access to the telnet port. As temporary solutions, users can disable the telnetd server or use a custom login(1) tool that does not allow the '-f' parameter.
Threat intelligence firm GreyNoise has observed 21 unique IP addresses attempting to exploit this vulnerability over the past 24 hours. All these IP addresses, originating from various countries including Hong Kong, the U.S., and Japan, have been flagged as malicious.
This critical security flaw serves as a stark reminder of the importance of regular security updates and the need for vigilance in the face of potential threats. Stay informed and protect your systems!
Do you think these mitigation measures are enough to address this critical vulnerability? Share your thoughts in the comments below!
