"A critical security flaw has been disclosed in the GNU InetUtils telnet daemon ( telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. "Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD)."
"The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply [sic] a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes."
A remote authentication-bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd scores 9.8/10 CVSS and impacts all releases from 1.9.3 through 2.7. Telnetd forwards the USER environment variable from the client to /usr/bin/login as a parameter without sanitization. A client can supply a USER value of "-f root" and use telnet(1) -a or --login to trigger login(1)'s -f option, bypassing normal authentication and achieving root access. The flaw originated in a commit from March 19, 2015 and reached the 1.9.3 release on May 12, 2015; discovery was reported January 19, 2026. Recommended mitigations include applying patches, restricting telnet port access, disabling telnetd, or using a custom login tool that disallows the -f parameter.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]