Ancient telnet bug happily hands out root to attackers

Steven

Ancient telnet bug happily hands out root to attackers

Summary

A critical vulnerability in the GNU InetUtils telnet daemon (telnetd), tracked as CVE-2026-24061 (CVSS 9.8), was disclosed on 20 January 2026. The flaw, introduced in May 2015, is an argument-injection issue that allows a remote attacker to cause /usr/bin/login to be invoked with a crafted USER environment value (for example ‘-f root’), combined with the client sending the USER variable via telnet’s -a or –login option, effectively bypassing authentication and granting root access.

Exploitation is straightforward and reliable; Rapid7 verified it results in full root access. GreyNoise telemetry shows active scanning and attack attempts in the wild. National CERTs in France, Canada and Belgium have issued advisories urging immediate patching or retirement of telnetd services and recommending migration to more secure alternatives such as SSH.

Key Points

  1. CVE-2026-24061 is an authentication-bypass/argument-injection bug in GNU InetUtils telnetd introduced in 2015.
  2. Exploitation is trivial: sending a crafted USER value (eg ‘-f root’) and using telnet’s -a/–login option can result in automatic root login.
  3. Active scanning and exploitation attempts have been observed; Rapid7 confirmed reliable full root compromise.
  4. Telnet is unencrypted and outdated; advisories from CERT-FR, Canada and Belgium urge decommissioning or strict network restriction of telnet services.
  5. Immediate mitigation: update to the patched telnetd if needed, block telnet from the internet, or remove telnetd and use SSH instead.

Why should I read this?

Right, short and blunt — if you’re still running telnet anywhere, this is a five-alarm problem. Attackers can get root with a single command and scans are already live. Read this so you can patch, block or pull telnet before someone else does it for you.

Author style

Punchy: This is urgent. The bug is ancient but dangerous, trivial to exploit and actively abused — admins need to act now rather than shrug and hope it passes.

Source

Source: https://www.theregister.com/2026/01/22/root_telnet_bug/