GNU InetUtils telnetd Vulnerability Allows Unauthenticated Root Access

Key Takeaways

• A critical security flaw (CVE-2026-24061) has been discovered in the GNU InetUtils telnet daemon (telnetd) with a CVSS score of 9.8 out of 10.0.
• The vulnerability affects all versions of GNU InetUtils from 1.9.3 to 2.7 and can be exploited to gain root access to a target system.
• The flaw allows remote authentication bypass via a carefully crafted USER environment variable.
• Users are advised to apply the latest patches, restrict network access to the telnet port, and consider disabling telnetd server or using a custom login tool as temporary workarounds.
• Threat intelligence firm GreyNoise has observed 21 unique IP addresses attempting to exploit the flaw, with all of them flagged as malicious.

Introduction to the Vulnerability
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system, indicating a high level of severity. This flaw affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7, making it a widespread issue that requires immediate attention.

Technical Details of the Flaw
The vulnerability allows remote authentication bypass via a carefully crafted USER environment variable. According to a description of the flaw in the NIST National Vulnerability Database (NVD), "Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable." This means that an attacker can exploit the flaw by supplying a specific value for the USER environment variable, which can grant them root access to the target system. The telnetd server invokes /usr/bin/login (normally running as root) and passes the value of the USER environment variable received from the client as the last parameter. If the client supplies a carefully crafted USER environment value, the client will be automatically logged in as root, bypassing normal authentication processes.

Exploitation and Mitigations
The vulnerability can be exploited to gain root access to a target system, as noted by GNU contributor Simon Josefsson in a post on the oss-security mailing list. Josefsson explained that the telnetd server does not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to bypass normal authentication. To mitigate the issue, users are advised to apply the latest patches and restrict network access to the telnet port to trusted clients. As temporary workarounds, users can disable telnetd server or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the ‘-f’ parameter.

Discovery and Reporting
The vulnerability was introduced as part of a source code commit made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015. Security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) has been credited with discovering and reporting the flaw on January 19, 2026. The discovery of this flaw highlights the importance of continuous security testing and review of open-source software.

Real-World Implications
Data gathered by threat intelligence firm GreyNoise shows that 21 unique IP addresses have been observed attempting to execute a remote authentication bypass attack by leveraging the flaw over the past 24 hours. All the IP addresses, which originate from various countries including Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious. This suggests that attackers are already aware of the vulnerability and are actively attempting to exploit it, making it essential for users to take immediate action to protect their systems.

Conclusion
In conclusion, the critical security flaw in the GNU InetUtils telnet daemon (telnetd) is a significant issue that requires immediate attention. The vulnerability can be exploited to gain root access to a target system, and users are advised to apply the latest patches and restrict network access to the telnet port to trusted clients. The discovery of this flaw highlights the importance of continuous security testing and review of open-source software, and users should remain vigilant in protecting their systems from potential attacks. By taking proactive measures, users can minimize the risk of exploitation and ensure the security of their systems.