A critical remote authentication bypass vulnerability has been disclosed in GNU InetUtils affecting the telnetd server component.
The flaw, reported by a security researcher on January 19, 2026, allows unauthenticated attackers to gain root access by exploiting improper input sanitization in the telnetd authentication mechanism.
The vulnerability stems from how telnetd invokes the login program. When a telnet client connects, telnetd receives a USER environment variable from the remote client and passes it directly to /usr/bin/login without sanitization.
An attacker can craft a malicious USER environment variable containing the string “-f root”, a parameter that login (1) interprets as a flag to bypass routine authentication procedures.
By sending a telnet connection with the specially crafted USER environment variable using telnet’s -a or –login parameter.
An unauthenticated remote user bypasses the login authentication system entirely and gains immediate root-level access to the system.
The vulnerability was inadvertently introduced during a code modification on March 19, 2015, and was included in GNU InetUtils version 1.9.3 released on May 12, 2015
The flaw has persisted through all subsequent versions up to and including version 2.7. GNU InetUtils versions 1.9.3 through 2.7 are vulnerable.
According to OpenWall, organizations running telnetd from GNU InetUtils should immediately assess their exposure. GNU maintainers recommend three approaches:
| Approach | Description |
|---|---|
| Disable telnetd | Turn off telnet due to insecurity (preferred) |
| Restrict access | Allow only trusted clients |
| Upgrade software | Apply patches by Eggert & Josefsson |
This vulnerability demonstrates the persistent risks associated with legacy protocols like telnet.
The authentication bypass allows complete system compromise with root privileges, making this a critical security threat for any system that exposes telnetd to untrusted networks.
Organizations should prioritize either updating GNU InetUtils or immediately turning off telnetd. The availability of patches means that delayed remediation significantly increases the risk of compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
