Ancient telnet bug happily hands out root to attackers

A recently disclosed critical vulnerability in the GNU InetUtils telnet daemon (telnetd) is "trivial" to exploit, experts say.

The bug, which had gone unnoticed for nearly 11 years, was disclosed on January 20 and is tracked as CVE-2026-24061 (9.8).

It was introduced in a May 2015 update, and if you're one of the few to still be running telnetd, patch up, because attacks are already underway.

GreyNoise data shows that in the past 24 hours, 15 unique IPs were trying to execute a remote authentication bypass attack by using the vulnerability.

The security advisory explains that the bug allows attackers to easily gain root access to a target system.

"The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," wrote GNU contributor Simon Josefsson.

"If the client supply [sic] a carefully ...