All GNU InetUtils telnetd versions 1.9.3 to 2.7 were affected by a critical remote authentication bypass issue that has been unidentified for almost 11 years, according to The Hacker News.Exploitation of the vulnerability, tracked as CVE-2026-24061, could enable root access to targeted systems, said GNU contributor Simon Josefsson, who noted the bug to have been part of a source code commit added to GNU InetUtils telnetd 1.9.3 introduced in May 2015."If the client supply [sic] a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes," added Josefsson.Meanwhile, attempted exploitation of the flaw was observed by GreyNoise to have been conducted by 21 unique and malicious IP addresses, most of which were from China.
Vulnerability Management, Patch/Configuration Management
Old critical GNU InetUtils telnetd vulnerability uncovered
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds