A critical security vulnerability has been identified in the GNU InetUtils Telnet daemon (telnetd) that allows unauthenticated attackers to obtain root-level access. The issue was introduced in 2015 and went undetected for nearly 11 years. Review this Cybersecurity Threat Advisory for more details and to mitigate your risk.
What is the threat?
Tracked as CVE‑2026‑24061 with a CVSS score of 9.8, the flaw stems from improper handling of the client‑supplied user environment variable. Telnetd passes this variable directly to /usr/bin/login without sanitizing or validating it. As a result, attackers can inject command‑line arguments into the login process.
By supplying ‘-f root’ as the USER value, an attacker exploits a legacy login feature that bypasses password authentication for the specified user. This results in an immediate root shell without a password prompt.
All GNU InetUtils versions 1.9.3 through 2.7 are affected.
Why is it noteworthy?
The vulnerability originated in a March 19, 2015 code change and remained unnoticed until January 2026. It enables complete authentication bypass through simple manipulation of an environment variable—a particularly dangerous issue given Telnet’s lack of encryption and continued presence in legacy environments.
Combined with verified active exploitation attempts, this flaw poses an immediate and severe risk to any publicly exposed Telnet service.
What is the exposure or risk?
Systems running vulnerable versions of telnetd are at risk of full remote compromise, granting attackers unrestricted administrative control. Once breached, these systems may be used to move laterally into more modern or sensitive infrastructure.
Because Telnet transmits all data in unencrypted plaintext, attackers can also intercept any remaining sensitive traffic. The exploit requires low complexity, making vulnerable systems attractive targets.
What are the recommendations?
Barracuda recommends the following steps to mitigate CVE‑2026‑24061:
- Upgrade GNU InetUtils to version 2.8 or higher immediately.
- If upgrading is not possible:
- Disable telnetd without delay.
- Block Telnet at the network perimeter and internally wherever feasible.
- Replace Telnet with SSH, which provides encrypted, authenticated communication.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-telnetd-auth-bypass-flaw-to-get-root/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.