Attackers Leveraging telnetd Exploit for Root Privileges After PoC Goes Public

A critical authentication-bypass in GNU InetUtils telnetd (versions 1.9.3–2.7) allows attackers to obtain root access by supplying a crafted USER environment variable (e.g., “-f root”) combined with telnet login parameters; proof-of-concept code was published and patches issued January 20, 2026. Security sensors observed widespread exploitation attempts starting January 21, including 18 attacker IPs and 60 attempts against honeypots, network traffic exclusively over Telnet/TCP 23, IDS alerts indicating root access, and subsequent attempts to deploy a Python-based payload from 67.220.95.16:8000. Organizations are advised to audit exposed Telnet services, review authentication logs for suspicious root logins, and treat successful exploitations as full compromises requiring incident response and rebuilds.