Ancient telnet bug happily hands out root to attackers

A critical authentication-bypass bug (CVE-2026-24061, CVSS 9.8) in GNU InetUtils telnetd—introduced in 2015—allows remote attackers to obtain root by passing a crafted USER environment value (e.g., '-f root') combined with telnet's -a/--login option; exploitation is trivial and active scanning/exploit attempts were observed, prompting advisories to patch or decommission telnetd and restrict access.