11-Year-Old critical telnetd flaw found in GNU InetUtils (CVE-2026-24061)

A critical authentication-bypass vulnerability (CVE-2026-24061, CVSS 9.8) in GNU InetUtils telnetd—present in versions 1.9.3 through 2.7 and introduced in 2015—allows a remote attacker to obtain root by supplying a crafted USER environment value (e.g., "-f root") which is passed unsanitized to /usr/bin/login; the flaw went unnoticed for nearly 11 years and exploitation attempts have already been observed, so affected systems should be patched, telnet access restricted or disabled, and mitigations applied immediately.