Overview
- Tracked as CVE-2026-24061 with a CVSS score of 9.8, the flaw affects GNU Inetutils telnetd versions 1.9.3 through 2.7 and is fixed in version 2.8.
- The vulnerability is an argument-injection issue where a crafted USER value of "-f root" is passed to /usr/bin/login, bypassing authentication to grant root access.
- GreyNoise reports 21 unique IPs probing for the bypass over the past 24 hours from Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand.
- GNU’s patch in 2.8 blocks USER values beginning with a dash, a public proof‑of‑concept exists, and Rapid7 has verified that exploitation reliably yields full root.
- CERT-FR calls for decommissioning telnet services, with Canadian and Belgian authorities issuing similar guidance alongside advice to disable telnetd, restrict port 23, and migrate to SSH.