CVE-2026-24061: Decade-Old Vulnerability in GNU InetUtils telnetd Enables Remote Root Access

A critical authentication bypass (CVE-2026-24061) in GNU InetUtils telnetd allows unauthenticated remote attackers to obtain root by supplying the USER environment variable value "-f root" combined with telnet's login options; the flaw affects InetUtils 1.9.3 through 2.7, was introduced in 2015, and researchers report active exploitation attempts observed in the wild. Immediate mitigation includes upgrading, restricting telnet access, disabling telnetd, or using a custom login that blocks the -f parameter.