""The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," wrote GNU contributor Simon Josefsson. "If the client supply [ sic] a carefully crafted USER environment value being the string '-f root', and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.""
"The bug, which had gone unnoticed for nearly 11 years, was disclosed on January 20 and is tracked as CVE-2026-24061 (9.8). It was introduced in a May 2015 update, and if you're one of the few to still be running telnetd, patch up, because attacks are already underway. GreyNoise data shows that in the past 24 hours, 15 unique IPs were trying to execute a remote authentication bypass attack by using the vulnerability."
CVE-2026-24061 is a critical argument-injection vulnerability in GNU InetUtils telnetd with a 9.8 severity score, disclosed January 20 and introduced in May 2015. Telnetd passes the USER environment variable to /usr/bin/login as the last parameter; a crafted USER value of '-f root' combined with telnet -a or --login causes /usr/bin/login to be invoked so the client is automatically logged in as root, bypassing authentication. Exploitation is straightforward and reliable compared to memory-corruption bugs. Active scanning and exploitation attempts have been observed; administrators running telnetd should apply patches or disable the service immediately.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]