Hackers Exploit 11-Year-Old Linux Telnet Flaw to Gain Root Access

A long-hidden GNU InetUtils telnetd vulnerability is now under active hacker exploitation, putting legacy and industrial systems at risk.

Security researchers have identified an active exploitation campaign targeting a critical vulnerability in the GNU InetUtils telnetd server. The flaw remained hidden for 11 years before public disclosure and now poses a serious risk to legacy and industrial systems.

Tracked as CVE-2026-24061, the vulnerability allows attackers to bypass authentication and log in as root without valid credentials. Exploitation is trivial, and public proof-of-concept exploits are already available.

How the Vulnerability Works

The issue originates from improper handling of environment variables in the telnetd service. When telnetd spawns /usr/bin/login, it passes the USER environment variable directly without sanitization.

Attackers can exploit this behavior by:

Setting the USER variable to -f root
Connecting using the telnet -a option
Skipping authentication entirely
Gaining root-level access

This flaw affects GNU InetUtils versions 1.9.3 (2015) through 2.7. The project fixed the issue in version 2.8.

Why This Still Matters

Although Telnet is a legacy protocol largely replaced by SSH, it remains active in many environments. Industrial systems, embedded devices, and operational technology networks still rely on Telnet due to its simplicity and low resource usage.

These systems often run for years without updates. As a result, vulnerable telnetd services still exist in:

IoT devices
Industrial sensors
Cameras
Legacy networking equipment
OT and ICS environments

Exploitation Observed in the Wild

Threat intelligence monitoring confirms real-world exploitation. Activity occurred shortly after disclosure, between January 21 and 22.

Observed attack activity includes:

18 unique attacker IP addresses
60 malicious Telnet sessions
Over 1,500 packets sent
All activity classified as 100% malicious

While exposed internet-facing Telnet services remain limited, attackers are actively scanning for vulnerable endpoints.

Mitigation and Defense

Organizations running affected versions should act immediately.

Recommended actions:

Upgrade to GNU InetUtils 2.8
Disable the telnetd service where possible
Block TCP port 23 at the firewall
Audit legacy systems and embedded devices
Replace Telnet with SSH or secure alternatives

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Hackers Exploit 11-Year-Old Linux Telnet Flaw to Gain Root Access