SECURITY Affairs reports a critical telnetd flaw in GNU InetUtils (CVE-2026-24061) that has been unfixed for nearly 11 years, with a CVSS of 9.8 and affecting all GNU InetUtils versions 1.9.3–2.7. The flaw allows an attacker to gain root access on affected systems by abusing the telnetd server’s handling of the USER environment variable, bypassing normal authentication when the client crafts a USER value of “-f root” and uses telnet’s -a or --login option.
The issue was introduced in a code commit dated 19 March 2015, and was reported on 19 January 2026 by security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez). To mitigate, users should apply the latest patches and restrict telnet service access to trusted clients, disable telnetd if possible, or use a custom login tool that prevents the -f option. Security Affairs notes that exploitation attempts have already been observed, according to GreyNoise. 24 January 2026