Critical Telnetd Vulnerability (CVE-2026-32746) Exposes Legacy Systems to Remote Code Execution A severe buffer overflow vulnerability (CVE-2026-32746) has been identified in the GNU InetUtils telnetd daemon, allowing unauthenticated attackers to execute arbitrary code with root privileges. The flaw, rated 9.8 (CVSS 3.1), was discovered by Dream Security Labs and affects all versions of the software up to 2.7. The vulnerability stems from improper handling of LINEMODE SLC (Set Local Characters) option negotiation during the initial connection handshake. By sending a maliciously crafted message with an excessive triplet count over TCP port 23, attackers can trigger a buffer overflow before authentication occurs meaning no credentials or user interaction are required. Since telnetd typically runs with root privileges, successful exploitation grants full system compromise, enabling backdoor deployment, data exfiltration, or lateral movement within a network. While modern IT environments have largely replaced Telnet with SSH, the protocol persists in legacy Industrial Control Systems (ICS), operational technology (OT), and government networks, including PLCs, SCADA systems, and embedded devices where upgrades are costly or operationally disruptive. This makes the flaw particularly dangerous for critical infrastructure, such as power grids, water treatment facilities, and manufacturing plants, where security modernization is slow and exposed systems remain common. Mitigation efforts include disabling telnetd where possible, blocking port 23 at the network perimeter, restricting access to trusted IPs, and running the daemon without root privileges. Detection requires network-level monitoring, as standard logs won’t capture the attack. Security teams should configure firewalls to log all port 23 connections and deploy IDS/IPS solutions (e.g., Suricata, Snort) to flag LINEMODE SLC payloads exceeding 90 bytes. No active exploitation has been confirmed, but the flaw’s severity demands immediate action.

Critical RCE Vulnerability in GNU InetUtils telnetd Exposes 800,000 Systems A severe remote code execution (RCE) vulnerability, CVE-2026-24061, has been identified in the GNU InetUtils telnetd component, affecting approximately 800,000 exposed instances worldwide. The flaw, rated Critical (CVSS 9.8), allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable systems. The vulnerability stems from inadequate input validation in the telnetd service, enabling threat actors to craft malicious payloads that compromise systems. Proof-of-concept exploits have already been demonstrated, increasing the risk of widespread attacks. Since telnetd often runs with elevated privileges on legacy systems, successful exploitation grants full control over affected infrastructure. Data from the Shadowserver Foundation’s Accessible Telnet Report reveals that exposed instances span multiple geographies and networks, with many systems running unpatched versions for extended periods. While safe vulnerability-specific scanning remains unavailable, organizations can use Shadowserver’s report to identify at-risk systems by cross-referencing their infrastructure against publicly accessible telnet services. Immediate remediation steps include disabling telnetd on public-facing systems, implementing network segmentation, and upgrading to patched versions of GNU InetUtils. For systems where telnetd cannot be removed, restricting access via firewall rules and monitoring for exploitation attempts is recommended. The combination of widespread exposure, exploit availability, and delayed patching makes this a high-priority threat for affected organizations.

Critical Authentication Bypass Flaw in GNU InetUtils Telnetd Grants Root Access Without Credentials A high-severity vulnerability in GNU InetUtils’ telnetd server (versions 1.9.3 through 2.7) allows unauthenticated remote attackers to bypass authentication and gain root access by exploiting improper input sanitization. The flaw, introduced in a 2015 commit (fa3245ac), stems from the USER environment variable being passed unsanitized to the login utility, which interprets the `-f` flag as an authentication bypass. ### Technical Details The vulnerability resides in telnetd/utility.c, where the `_var_short_name()` function fails to validate the %U parameter (representing the USER variable) in the login command template: `PATH_LOGIN -p -h %h %?u{-f %u}{%U}`. An attacker can inject `-f root` via the USER variable, tricking the login program into granting root privileges without credentials. ### Exploitation & Impact A proof-of-concept exploit requires only a single command: `USER='-f root' telnet -a localhost` This immediately spawns a root shell without password authentication, as demonstrated on Trisquel GNU/Linux 11. The flaw affects all versions since v1.9.3 (May 2015) and remains unpatched in v2.7 unless mitigated. ### Recommended Actions The GNU InetUtils team advises disabling telnetd entirely, as modern systems should use SSH for secure remote access. Patches (commits fd702c02 and ccba9f748) introduce variable sanitization to block similar attacks. Network administrators are urged to restrict telnet port access and migrate to SSH-based solutions. Custom login tools that reject the `-f` parameter are also suggested as a workaround.

Critical Authentication Bypass Flaw in GNU InetUtils Exposes Systems to Root-Level Attacks A severe remote authentication bypass vulnerability has been discovered in the telnetd server component of GNU InetUtils, allowing unauthenticated attackers to gain root access on affected systems. The flaw, reported by a security researcher on January 19, 2026, stems from improper input sanitization in the telnetd authentication mechanism. The vulnerability occurs when telnetd passes the USER environment variable received from a remote client directly to /usr/bin/login without validation. Attackers can exploit this by crafting a malicious USER variable containing the string “-f root”, which login (1) interprets as a command to bypass authentication entirely. By sending a telnet connection with this payload via the -a or –login parameter, an unauthenticated user can gain immediate root-level access without credentials. The flaw was introduced in a March 19, 2015 code modification and first appeared in GNU InetUtils 1.9.3 (released May 12, 2015). It remains unpatched in all subsequent versions, including the latest 2.7, affecting systems running InetUtils 1.9.3 through 2.7. GNU maintainers have outlined three mitigation strategies: - Disabling telnetd (preferred due to inherent security risks). - Restricting access to trusted clients. - Upgrading to patched versions provided by Eggert & Josefsson. The vulnerability underscores the ongoing risks of legacy protocols like telnet, which lack modern security controls. Given the potential for complete system compromise, organizations are urged to prioritize remediation either by applying patches or disabling telnetd to mitigate exposure to untrusted networks.

Critical Authentication Bypass Flaw in GNU InetUtils telnetd Grants Immediate Root Access A severe remote authentication bypass vulnerability (CVE pending) has been disclosed in the GNU InetUtils telnetd server, affecting versions 1.9.3 through 2.7. The flaw allows unauthenticated attackers to gain immediate root access by exploiting improper input validation in the handling of the USER environment variable. ### Technical Details & Exploitation The vulnerability stems from telnetd’s failure to sanitize the USER environment variable before passing it to `/usr/bin/login`. The `login` utility interprets the `-f` parameter as a command to bypass authentication, enabling attackers to craft a malicious USER value (e.g., `-f root`) and gain unrestricted root access. Exploitation is straightforward: ```text USER='-f root' telnet -a localhost ``` This command directly spawns a root shell without authentication, demonstrating the flaw’s severity. The issue was introduced in a March 19, 2015, commit aimed at improving telnetd functionality and remained undetected until its responsible disclosure on January 19, 2026. The root cause lies in insufficient variable expansion sanitization in `telnetd/utility.c`, where the `_var_short_name()` function returns unsanitized environment variables. Researchers warn that similar risks may exist for other untrusted variables, such as `remote_hostname`. ### Mitigation & Patching The GNU InetUtils team urges immediate action, recommending: - Disabling telnetd services or restricting access to trusted clients. - Applying security patches that sanitize variable expansion to prevent command injection. - Upgrading to patched releases once available. - Deploying custom `login` utilities that reject the `-f` parameter as a temporary workaround. ### Impact & Risk This vulnerability poses a critical risk to organizations running telnetd, particularly legacy systems requiring backward compatibility. The unauthenticated nature and ease of exploitation make it a high-priority patching requirement. Systems exposed to untrusted networks are at heightened risk of compromise.