A serious security flaw in the GNU InetUtils Telnet daemon (telnetd) has been disclosed that was ignored for almost 11 years.
Vulnerability, tracked as CVE-2026-24061is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 to version 2.7.
According to the description of the flaw in the NIST National Vulnerability Database (NVD), “Telnet in GNU inutils through 2.7 allows remote authentication bypass via the ‘-f root’ value for the user environment variable.”
In a post on the os-security mailing list, GNU contributor Simon Josephson said that the vulnerability can be exploited to gain root access to the target system –
The Telnet server invokes /usr/bin/login (normally running as root), passing the value of the USER environment variable received from the client as the last parameter.
If customer supplies [sic] A carefully crafted USER environment value string is “-f root”, and passing this USER environment to the server via telnet(1) -a or –login parameter, the client will automatically log in as root, bypassing normal authentication procedures.
This happens because the telnet server does this [sic] Do not clear the USER environment variable before passing it to login(1), and login(1) uses the -f parameter to by-pass normal authentication.
Josephson also noted that the vulnerability was introduced as part of a source code commit made on March 19, 2015, which ultimately led to the release of version 1.9.3 on May 12, 2015. Security researcher Q Neuschwanstein (aka Carlos Cortés Alvarez) is credited with discovering and reporting the flaw on January 19, 2026.
As a mitigation, it is advisable to apply the latest patches and restrict network access to the Telnet port to trusted clients. As a temporary solution, users can disable the telnet server, or use the InetUtils telnet to a custom login(1) tool that does not allow the use of the ‘-f’ parameter, Josephson said.
Data collected by threat intelligence agency Grenoise shows that 21 unique IP addresses have been observed attempting to execute a remote authentication bypass attack by taking advantage of the flaw in the last 24 hours. All IP addresses originating from Hong Kong, US, Japan, Netherlands, China, Germany, Singapore and Thailand have been flagged as malicious.
