A critical vulnerability in the GNU InetUtils telnet daemon (telnetd) has been exposed, posing a significant threat to systems still using this outdated software. The bug, which remained undetected for nearly a decade, was disclosed on January 20 and is categorized as CVE-2026-24061, with a severity rating of 9.8.
The vulnerability was introduced in a May 2015 update, and users are urged to patch their systems immediately, as attacks are already underway. GreyNoise data reveals that in the past 24 hours, 15 unique IP addresses attempted to exploit the vulnerability for remote authentication bypass. This bug enables attackers to gain root access to target systems with ease.
The issue lies in the telnetd server's interaction with the login process. When the server invokes the login command, it passes the USER environment variable to it, which can be manipulated by attackers. By setting the USER environment to '-f root' and using the telnet(1) -a or --login parameter, attackers can bypass normal authentication and log in as root.
This vulnerability is particularly concerning due to its simplicity and reliability. Unlike more complex bugs, such as memory corruption, this argument injection flaw is straightforward to exploit. A single telnet command can trigger the issue, granting attackers full root access on the target system.
Rapid7's Stephen Fewer highlights the worrying nature of this vulnerability. He emphasizes that anyone still running telnetd in 2026 should be concerned, as the lack of encryption makes it susceptible to packet sniffing, allowing attackers to intercept login attempts and sessions.
The security community has responded with caution. Curl has shut down its bug bounty program to discourage the submission of AI-generated vulnerabilities, while Cloudflare has addressed a WAF bypass bug that could have opened a side door for attackers. Additionally, AI framework flaws are putting enterprise clouds at risk of takeover, and the RondoDox botnet has been linked to a large-scale exploit of a critical HPE OneView bug.
To mitigate the risk, users are advised to update to the latest version of telnetd and restrict web access to it. A more secure alternative, such as SSH, should be considered for better protection. However, the primary recommendation is to avoid running a telnetd server altogether and limit network access to trusted clients only.
Despite the decline in telnetd's popularity, it is still in use in many active deployments. France's CERT has issued an advisory urging the decommissioning of all telnet services, while national cybersecurity authorities in Canada and Belgium have echoed similar warnings, emphasizing the risks and urging the retirement of telnetd to prevent successful exploits.
