A critical flaw in the GNU InetUtils telnet daemon allows remote authentication bypass and affects versions 1.9.3 through 2.7, the NIST National Vulnerability Database entry states.
KEY FACTS
- Incident Remote authentication bypass via crafted USER environment value
- Affected GNU InetUtils telnetd versions 1.9.3 through 2.7
- Severity CVE-2026-24061 rated 9.8 out of 10 on the CVSS scale
- Impact Potential remote root access
- Observed 21 unique IP addresses attempted exploitation in the past 24 hours
The vulnerability was introduced by a source code change committed on March 19, 2015 and was present in the 1.9.3 release on May 12, 2015. The bug went unnoticed until public disclosure in January 2026.
The telnetd server invokes /usr/bin/login and passes the value of the USER environment variable received from the client as the last argument. A client that supplies the string “-f root” as the USER value and sends the environment with telnet -a or –login can cause login to be invoked with the -f parameter, bypassing normal authentication.
All releases of GNU InetUtils from 1.9.3 up to and including 2.7 are affected. Successful exploitation can grant a remote attacker an unauthenticated root shell on an affected host.
Recommended mitigations include applying available patches, restricting network access to the telnet port to trusted hosts, or disabling the telnetd server. As a temporary workaround the telnetd instance can be configured to call a custom login tool that does not accept the -f parameter.
Threat intelligence data shows 21 distinct IP addresses observed attempting this authentication bypass in the previous 24 hours. The addresses were flagged as malicious and traced to multiple countries.
WHY IT MATTERS
The flaw enables remote root access on affected systems, creating a high risk of full system compromise. Administrators should patch or isolate telnet services to reduce exposure.

