Critical Telnet Server Flaw Exposes Forgotten Attack Surface

A critical authentication bypass in GNU InetUtils telnetd (CVE-2026-24061) — introduced in 2015 and fixed in InetUtils 2.8 — allows attackers to bypass authentication (via argument injection using an "-f root" USER value) and potentially gain full control of affected devices; researchers warn the flaw is easy to exploit and threat actors are already targeting exposed Telnet servers, with estimations of roughly 800,000 Telnet instances publicly reachable, particularly on legacy and IoT devices. The report urges immediate patching or disabling of telnetd, network access restrictions to Telnet, segmentation of high-risk devices, and vendor remediation.