A critical security vulnerability in the GNU InetUtils telnet daemon, known as telnetd, has been disclosed after remaining undetected for almost 11 years. This flaw, designated CVE-2026-24061, carries a severe CVSS score of 9.8 out of 10.0, indicating a high risk to systems utilizing the affected software. The vulnerability impacts all versions of GNU InetUtils from 1.9.3 through 2.7.
The core issue, as detailed in the NIST National Vulnerability Database, lies in telnetd’s susceptibility to remote authentication bypass. Attackers can exploit this by manipulating the USER environment variable, setting it to “-f root” to circumvent standard login procedures and gain unauthorized root access to a target system. This discovery highlights a significant oversight in the security of widely used GNU utilities and underscores the importance of continuous vulnerability assessment.
Unpacking the GNU InetUtils telnetd Vulnerability
According to GNU contributor Simon Josefsson, the telnetd server improperly forwards the USER environment variable provided by a client directly to the `/usr/bin/login` utility. This executable typically runs with root privileges. When a malicious user crafts a USER environment variable with the specific value “-f root” and uses the telnet client’s `-a` or `–login` options, the server does not sanitize this input. Consequently, the `login` utility interprets the “-f” parameter as a directive to bypass authentication, effectively granting root access without requiring a password or other credentials.
This critical security issue was introduced into the codebase on March 19, 2015, as part of a source code commit. It was subsequently released in version 1.9.3 of GNU InetUtils on May 12, 2015. The disclosure came on January 19, 2026, Credit for discovering and reporting this long-standing vulnerability goes to security researcher Kyu Neushwaistein, also known as Carlos Cortes Alvarez.
Exploitation and Mitigation Strategies
The potential for remote code execution and system compromise is significant given the ease of exploitation. Threat intelligence from GreyNoise indicates that malicious actors have already begun probing for this vulnerability. Over the past 24 hours prior to the report, 21 unique IP addresses originating from various countries, including Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, were observed attempting to exploit CVE-2026-24061. These IP addresses have been classified as malicious, suggesting active exploitation attempts are underway.
To address this immediate threat, Josefsson recommends applying the latest available patches for GNU InetUtils as soon as possible. Additionally, restricting network access to the telnet port (TCP port 23) to only trusted clients is a crucial preventative measure. For systems where immediate patching is not feasible, temporary workarounds include disabling the telnetd service entirely or reconfiguring the system to use a custom `login` utility that specifically disallows the use of the “-f” parameter, thereby neutralizing the bypass mechanism.
The long unnoticed nature of this telnetd vulnerability serves as a stark reminder for organizations to maintain vigilant cybersecurity practices, including regular software updates, robust access controls, and proactive vulnerability scanning. The ongoing attempts to exploit CVE-2026-24061 indicate that swift action is necessary to secure affected systems against this critical authentication bypass flaw. Further analysis of actor behavior and the release of official patches from the GNU project will be key developments to monitor in the coming weeks.