Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access
The critical security vulnerability discovered in the GNU InetUtils telnet daemon (telnetd) has exposed millions of systems to a remote authentication bypass attack. The flaw, tracked as CVE-2026-24061, was rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS).
Telnetd in GNU Inetutils through version 2.7 allows attackers to bypass authentication and gain root access without proper credentials by manipulating the USER environment variable. According to a post on the oss-security mailing list, security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) disclosed this vulnerability on January 19, 2026.
The telnetd server passes the value of the USER environment variable received from a client to the /usr/bin/login program. If the attacker sends an improperly crafted USER value as “-f root”, and includes the -a or –login flag in their telnet(1) command, they can automatically log in as root bypassing any normal authentication mechanisms.
The vulnerability was introduced as part of a source code change made on March 19, 2015. This led to its inclusion in version 1.9.3 and subsequently released with version 2.7. The GNU developer Simon Josefsson reported this issue publicly when he discovered the vulnerability.
To mitigate the risk posed by this flaw, users are advised to apply the latest patches available for their InetUtils installation. Additionally, network access to the telnet port should be restricted to only trusted clients. As a temporary workaround, users can disable the telnet server or use an alternative login(1) tool that does not permit use of the ‘-f’ parameter.
Data collected by threat intelligence firm GreyNoise indicates that 21 unique IP addresses have attempted remote authentication bypass attacks over the past 24 hours. These IPs originate from various regions including Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand. All of these IPs were identified as malicious.
This critical flaw underscores the importance of timely vulnerability patching and limiting access to potentially vulnerable services such as telnetd. The exposure of root-level privileges through such a widely-used service can lead to severe consequences for organizations relying on this implementation of GNU InetUtils.
Threat actors may use this exploit to gain unauthorized control over systems, steal sensitive data, or disrupt operations. The ease with which attackers could bypass established authentication protocols highlights the need for robust security measures and continuous monitoring within organizations to protect against such vulnerabilities.
Potential Impact
The exploitation of this vulnerability by threat actors could result in a significant compromise where unauthorized users gain full control over affected systems. The ability to access the root account allows attackers to execute arbitrary commands, install malware, and perform data exfiltration or destruction operations without detection.
Recommendations
To safeguard against this vulnerability:
- Patch all InetUtils installations promptly: Apply any available patches and updates for GNU InetUtils to ensure the system is protected from known vulnerabilities. Check the release notes of each affected version to identify potential issues.
- Restrict network access to the telnet port: Limit inbound traffic on the telnet port (23) to only trusted networks and IP addresses. Implement firewall rules or network segmentation to enforce these restrictions. Monitoring and logging should be in place for any unusual activity related to the telnet service.
- Use alternative login tools: Employ a custom or updated version of the /usr/bin/login utility that does not allow use of the ‘-f’ parameter with the telnet command. This can prevent attackers from bypassing authentication even if they are able to exploit other vectors such as exploiting misconfigured scripts or services.
Symantec, Cisco and Palo Alto Networks Recommendations
Security vendors like Symantec, Cisco, and Palo Alto Networks have also issued alerts about this vulnerability. They recommend users implement the following recommendations to mitigate potential risks:
- Patch all InetUtils installations promptly. Apply any available patches or updates for GNU InetUtils to ensure protection from known vulnerabilities. Monitoring for any unusual activity related to the telnet service is also important in this scenario.
- Avoid use of the -f parameter: Ensure that no clients are configured to include the ‘-f root’ value when invoking the login command via a telnet client connection. This can prevent attackers from bypassing authentication and executing malicious commands as root.
Conclusion
This critical vulnerability in GNU InetUtils telnetd highlights how seemingly innocuous services like telnet can pose significant risks to system security if not properly secured against exploitation by malicious actors. The exposure of root-level privileges through such an extensively used service underscores the importance of timely patching, network segmentation, and monitoring for any suspicious activity.
Organizations should prioritize implementing robust security measures such as limiting access to potentially vulnerable services like telnetd, applying the latest available patches, and conducting thorough vulnerability assessments. This will help prevent unauthorized access and protect critical infrastructure from potential exploitation of this or other vulnerabilities in similar systems.
For more detailed recommendations on addressing this and related threats, users are encouraged to review official advisories and resources provided by security vendors like Symantec, Cisco, and Palo Alto Networks, as well as cybersecurity experts like those mentioned at THN (The Hacker News).
Sources
OSS-SECURITY Mailing List Post
Symantec Advisory on CVE-2026-24061