Overview
- A flaw tracked as CVE-2026-24061 lets remote attackers force root login by injecting "USER=-f root" during Telnet negotiation.
- The issue affects GNU Inetutils telnetd versions 1.9.3 through 2.7 and is fixed in version 2.8.
- GreyNoise recorded limited but real-world activity from 18 unique IPs across 60 sessions, largely automated and targeting root.
- The bug, introduced by a 2015 code change, was disclosed this week, with Rapid7 and others confirming exploitation is straightforward.
- Admins are urged to update or backport the fix, disable telnetd, block TCP/23, or restrict access, especially on legacy and embedded devices.