Ancient telnet bug happily hands out root to attackers

January 22, 2026 TH Author

A recently disclosed critical vulnerability in the GNU InetUtils telnet daemon (telnetd) is “trivial” to exploit, experts say.

The bug, which had gone unnoticed for nearly 11 years, was disclosed on January 20 and is tracked as CVE-2026-24061 (9.8).

It was introduced in a May 2015 update, and if you’re one of the few to still be running telnetd, patch up, because attacks are already underway.

GreyNoise data shows that in the past 24 hours, 15 unique IPs were trying to execute a remote authentication bypass attack by using the vulnerability.

The security advisory explains that the bug allows attackers to easily gain root access to a target system.

“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter,” wrote GNU contributor Simon Josefsson.

“If the client supply [sic] a carefully crafted USER environment value being the string ‘-f root’, and passes the telnet(1) -a or –login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.”

Stephen Fewer, senior principal researcher at Rapid7, told The Register the vulnerability has “a number of worrying factors.”

The nature of the vulnerability, an argument injection flaw, means exploitation attempts are likely to be more reliable compared to more complex types, like memory corruption bugs, for example. The ease with which an attacker can successfully exploit it is also a concern.

“Exploiting this vulnerability is straightforward: as documented in the disclosure, simply running a specific telnet command to connect to a remote server can trigger the issue and grant an attacker root access,” said Fewer.

“Rapid7 Labs has verified the vulnerability, confirming that exploitation is trivial and results in full root access on the target.”

Fewer went on to say that anyone running telnetd in 2026 probably shouldn’t be. The program is unencrypted, meaning attackers can intercept login attempts and sessions by packet sniffing.

Users should at the very least update to the latest version of telnetd and close it off from the web, but better still, upgrade to a more secure alternative, such as SSH.

Josefsson also said in the advisory that his chief recommendation was for users to not run a telnetd server at all, and to restrict network access to the telnet port to trusted clients only.

Although telnetd fell out of favor years ago, with alternatives such as SSH proving much more popular, contrary to popular belief, there are still a sizeable number of active deployments.

France’s CERT issued an advisory on Wednesday, saying “many telnet services are accessible on the internet, which is contrary to good practices. CERT-FR therefore recommends decommissioning all telnet services.”

National cybersecurity authorities in Canada and Belgium echoed the same recommendations, warning of the risks of a successful exploit and urging the retirement of telnetd. ®