11-Year Telnet Demon Awakens: Critical Root Exploit Lurking in GNU for Nearly a Decade
Hey devs, a bombshell dropped yesterday: researchers uncovered a critical vulnerability in GNU InetUtils’ telnetd server that’s been hiding since 2015, letting attackers snag root access on unpatched systems with zero hassle.
CVE-2026-24061 scores a brutal 9.8 on CVSS and hits every version from 1.9.3 to 2.7. The flaw stems from telnetd not sanitizing the USER environment variable before handing it off to login(1), which blindly trusts the -f flag to skip authentication—boom, remote root shell.
Discovered by security researcher Kyu Neushwaistein on January 19, 2026, GreyNoise is already spotting real-world exploit attempts. If you’re running this ancient telnet daemon (yeah, why?), patch immediately, firewall it to trusted IPs only, or better yet, kill it and use SSH like it’s 2026.
As a developer, this screams “check your deps”: GNU InetUtils sneaks into Linux distros and embedded systems you might inherit or deploy. One unsanitized env var, and your server becomes an attacker’s playground—time to audit telnet usage, enforce secure defaults, and push for Secure by Design in every codebase.
Lesson learned: Old code doesn’t age gracefully in cyber. Patch now, ditch telnet forever, and stay sharp—threats like this prove vigilance never sleeps.
