A recently uncovered critical flaw in the GNU InetUtils telnet daemon has experts sounding the alarm. This vulnerability, which has been lurking unnoticed for over a decade, is described as "trivial" to exploit. The bug, tracked as CVE-2026-24061 (9.8), was introduced in a 2015 update and has already caught the attention of attackers. GreyNoise data reveals that within the last 24 hours, 15 unique IPs attempted a remote authentication bypass attack, exploiting this very vulnerability.
The security advisory explains that this bug grants attackers easy access to root privileges on target systems. Here's how it works: the telnetd server invokes /usr/bin/login, normally running as root, and passes the USER environment variable received from the client as the last parameter. If the client supplies a cleverly crafted USER environment value, such as '-f root', and includes the telnet(1) -a or --login parameter, they can bypass normal authentication and gain root access.
Stephen Fewer, a senior principal researcher at Rapid7, highlights the worrying nature of this vulnerability. Unlike more complex bugs, such as memory corruption issues, this argument injection flaw is relatively straightforward to exploit. Fewer emphasizes that simply running a specific telnet command can trigger the issue and grant attackers root access. Rapid7 Labs has confirmed the vulnerability, stating that exploitation is indeed trivial and results in full root access.
Fewer also points out that anyone still running telnetd in 2026 should consider an upgrade. The program's lack of encryption leaves it vulnerable to packet sniffing, allowing attackers to intercept login attempts and sessions.
While telnetd has lost favor over the years, with alternatives like SSH gaining popularity, it's surprising to learn that a significant number of active deployments still exist. France's CERT, along with cybersecurity authorities in Canada and Belgium, have issued advisories urging the retirement of telnetd, citing the risks of a successful exploit. They recommend updating to the latest version of telnetd, restricting web access, or upgrading to a more secure alternative like SSH.
This vulnerability serves as a stark reminder of the importance of staying updated and adopting secure practices. As we navigate the ever-evolving landscape of cybersecurity, it's crucial to remain vigilant and proactive in protecting our systems and data.
What are your thoughts on this critical vulnerability? Do you think the recommendations to retire telnetd are justified? Share your insights and join the discussion in the comments below!
