GNU InetUtils Telnetd Vulnerability Allows Unauthenticated Root Access
Take action: This one is trivial to exploit, so check if you are using Telnet anywhere in your network. It's urgent. Stop using Telnet and switch to SSH. Alternatively, isolate the Telnet interface to trusted networks and patch the code. But that's not a good long term approach, Telnet is inherently a lot less secure than SSH.
Learn More
GNU InetUtils developers report a critical flaw in the telnetd server that lets anyone log in as root without a password. It affects versions 1.9.3 through 2.7 and has been existing in the code for over ten years since March 2015.
The flaw , tracked as CVE-2026-24061 (CVSS score 9.8) d a remote authentication bypass via unsanitized environment variables. The flaw is caused by how the server handles the USER environment variable. When a client connects, the server takes the USER value and hands it to the /usr/bin/login program without sanitize or checking the input. Attackers can set their username to -f root to trick the system into logging them in as root.
The login program sees the "-f" flag and skips the password check. This gives the attacker a root shell. Exploiting the flaw is easy with a standard telnet client. A command like USER='-f root' telnet -a servername grants full control immediately.
Users are advised to stop using telnetd and switch to SSH. If users must use telnet, it must be limited to trusted networks. Developers released security patches to fix the variable handling. Alternatively, users can use a custom login tool that blocks the "-f" parameter to stop the attack.
