11-Year-Old critical telnetd flaw found in GNU InetUtils (CVE-2026-24061)

Critical telnetd flaw CVE-2026-24061 (CVSS 9.8) affects all GNU InetUtils versions 1.9.3–2.7 and went unnoticed for nearly 11 years.

A critical vulnerability, tracked as CVE-2026-24061 (CVSS score of 9.8), in the GNU InetUtils telnet daemon (telnetd) impacts all versions from 1.9.3 to 2.7. The vulnerability can be exploited to gain root access on affected systems.

Telnetd is a server implementing the DARPA Telnet protocol, typically launched by inetd to handle connections on the Telnet port, with options to run manually in debug mode or on alternate TCP ports.

The vulnerability was introduced as part of a source code commit made on March 19, 2015. The flaw remained undiscovered for nearly 11 years, posing long-standing security risks.

“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or –login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.” reads the advisory. “This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.”

Security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) reported the flaw on January 19, 2026.

To mitigate the flaw, apply the latest patches and restrict access to the telnet service to trusted clients. Disable the telnetd server if possible, or configure it to use a custom login tool that prevents use of the “-f” option.

Cybersecurity firm GreyNoise already observed exploitation attempts for this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GNU InetUtils)