Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A critical security flaw has been discovered in the telnetd server component of GNU InetUtils, involving remote authentication bypass . A security researcher reported the vulnerability on January 19, 2026. Exploiting this flaw allows unauthenticated attackers to gain root access due to inadequate input handling in the telnetd authentication mechanism.
The security flaw arises from the specific method used by telnetd to invoke the login program. Telnetd, when a telnet client connects, accepts a USER environment variable sent by the remote client without any sanitization and transfers it directly to /usr/bin/login.
By sending a telnet connection with the specially crafted USER environment variable using the -a or -login telnet parameter, an attacker completely bypasses the login authentication system and immediately gains root access to the system. The vulnerability was introduced inadvertently during a code change on March 19, 2015 , and was included in version 1.9.3 of GNU InetUtils, released on May 12, 2015. The flaw persisted in all subsequent versions up to and including version 2.7.
The attacker has the ability to generate a malicious USER environment variable, including the specific string “-f root”, a parameter that login interprets as an indication to bypass standard authentication procedures.
GNU InetUtils versions 1.9.3 through 2.7 are vulnerable. According to OpenWall , organizations using telnetd from GNU InetUtils should immediately evaluate their exposure. GNU maintainers recommend three approaches: This vulnerability demonstrates the persistent risks associated with legacy protocols like Telnet.
Bypassing authentication allows complete system compromise with root privileges, which poses a critical security threat to any system that exposes telnetd to untrusted networks.
Organizations should prioritize updating GNU InetUtils or immediately disabling telnetd. The availability of patches means that a delayed fix significantly increases the risk of compromise.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
