Ravie LakshmananJan 22, 2026Vulnerability / Linux
A crucial safety flaw has been disclosed within the GNU InetUtils telnet daemon (telnetd) that went unnoticed for almost 11 years.
The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It impacts all variations of GNU InetUtils from model 1.9.3 as much as and together with model 2.7.
“Telnetd in GNU Inetutils by means of 2.7 permits distant authentication bypass by way of a ‘-f root’ worth for the USER setting variable,” in response to an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD).
In a submit on the oss-security mailing record, GNU contributor Simon Josefsson mentioned the vulnerability could be exploited to achieve root entry to a goal system –
The telnetd server invokes /usr/bin/login (usually operating as root) passing the worth of the USER setting variable acquired from the consumer because the final parameter.
If the consumer provide [sic] a fastidiously crafted USER setting worth being the string “-f root”, and passes the telnet(1) -a or –login parameter to ship this USER setting to the server, the consumer will probably be mechanically logged in as root bypassing regular authentication processes.
This occurs as a result of the telnetd server do [sic] not sanitize the USER setting variable earlier than passing it on to login(1), and login(1) makes use of the -f parameter to by-pass regular authentication.
Josefsson additionally famous that the vulnerability was launched as a part of a supply code commit made on March 19, 2015, which finally made it to model 1.9.3 launch on Could 12, 2015. Safety researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026.
As mitigations, it is suggested to use the most recent patches and prohibit community entry to the telnet port to trusted shoppers. As non permanent workarounds, customers can disable telnetd server, or make the InetUtils telnetd use a customized login(1) software that doesn’t allow use of the ‘-f’ parameter, Josefsson added.
Knowledge gathered by risk intelligence agency GreyNoise exhibits that 21 distinctive IP addresses have been noticed trying to execute a distant authentication bypass assault by leveraging the flaw over the previous 24 hours. All of the IP addresses, which originate from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious.
