A severe authentication bypass vulnerability discovered in the GNU InetUtils telnetd server has triggered emergency patching efforts across the cybersecurity community. Designated as CVE-2026-24061, the flaw carries a CVSS severity score of 9.8 and affects all versions of GNU InetUtils from 1.9.3 through 2.7, enabling unauthenticated remote attackers to gain root-level access to vulnerable Linux systems.
The Exploit Mechanics
The vulnerability resides in how the telnetd daemon invokes the login program during the Telnet negotiation phase. When a client connects, telnetd executes /usr/bin/login — which runs with root privileges — and passes the client-supplied USER environment variable as the final argument. The critical flaw is that this variable is never sanitized.
An attacker initiates a Telnet connection and sends a maliciously crafted ENVIRON variable setting the USER field to -f root. The telnetd daemon then executes login -p -h -f root, where the -f flag instructs the login binary to skip all authentication for the specified user. The result is an immediate root shell with no credentials required.
Grey Noise, a threat intelligence platform that monitors internet-wide scanning activity, detected a coordinated exploitation campaign targeting Telnet services on TCP port 23. Analysis of honeypot traffic captured 60 unique exploitation attempts originating from 18 distinct source IP addresses, ranging from opportunistic scanning to sophisticated persistence mechanisms.
Affected Systems
GNU InetUtils versions 1.9.3 through 2.7 are confirmed vulnerable. This package ships with numerous Linux distributions and is commonly found on legacy servers, embedded devices, and industrial control systems that still rely on Telnet for remote management. The most prolific attacker IP, 178.16.53[.]82, accounted for 12 sessions targeting 10 unique systems using consistent payload configurations.
Attackers employ diverse payload configurations to evade simple signature detection. Terminal speeds of 38400 baud and 9600 baud are most common, though some attacks negotiate zero-speed parameters. Terminal types vary between standard XTERM-256COLOR and generic UNKNOWN types. While root is the primary target in 83% of attempts, probes for nobody, daemon, and randomized usernames have also been observed.
Upon gaining access, attackers immediately execute reconnaissance commands including uname -a, id, and cat /etc/passwd, often wrapped in delimiter strings for automated parsing by command-and-control infrastructure.
The Mitigation Strategy
Organizations should take immediate action by applying the patched version of GNU InetUtils (version 2.8 or later) wherever the package is installed. For systems where patching is not immediately possible, disabling the Telnet service entirely is the strongest mitigation. Telnet transmits credentials in plaintext and has been considered insecure for decades — this vulnerability simply underscores why SSH should be the standard for all remote access.
Network-level controls should block inbound TCP port 23 traffic at perimeter firewalls. Internal network segmentation should restrict Telnet access to only those systems that genuinely require it, and even then only from authorized management workstations.
Lessons Learned
This incident highlights the persistent danger of legacy protocols in modern infrastructure. Telnet was designed in an era when network security was not a primary concern, and the USER environment variable injection vector is a textbook example of why input validation matters at every trust boundary. With Bitcoin trading near $89,100 and Ethereum at $2,949, the financial stakes of compromised infrastructure have never been higher — crypto-related servers and nodes running legacy services are particularly attractive targets.
The coordinated nature of the exploitation campaign, with 18 distinct source IPs launching 60 attempts, suggests organized threat groups rather than individual actors. One campaign from IP 216.106.186[.]24 attempted to inject a 3072-bit RSA SSH key for persistent access and download a second-stage Python payload, indicating potential botnet recruitment.
User Action Required
System administrators should immediately inventory all systems running GNU InetUtils telnetd. Apply patches where available, disable Telnet services where possible, and audit SSH configurations as a secure replacement. Crypto exchanges, wallet services, and blockchain node operators should be especially vigilant — the intersection of high-value targets and legacy infrastructure creates an attractive attack surface. Monitor for the indicators of compromise listed in security advisories and review authentication logs for any suspicious Telnet sessions dating back to early January 2026.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
9.8 CVSS and telnet is still running in 2026. some things never change
telnet in 2026 on production systems with root access. the -f flag bypass has been documented since the 90s and nobody fixed the input sanitization
telnet in 2026 and nobody sanitized the USER env var. this is security 101 level stuff. CVSS 9.8 is deserved
the fact that login gets called with root and never sanitizes the USER env var is just classic C code behavior. been this way for decades
^ literally this. the -f flag bypass has been a known pattern since the 90s
anyone else notice it affects versions from 1.9.3 all the way to 2.7? that is roughly a decade of vulnerable code in production
a decade of GNU InetUtils with this login invocation bug. the USER env variable never sanitized since 1.9.3. pretty wild oversight
login -p -h -f root with zero auth because of an unsanitized variable. been patching servers all morning, this one is nasty