A critical vulnerability in GNU Inetutils telnetd (CVE-2026-24061) lets attackers bypass authentication and gain root access by manipulating the USER environment variable. With a CVSS score of 9.8, this affects versions 1.9.3 through 2.7. A proof-of-concept exploit is available, targeting the classic telnetd service on TCP port 23.

The attack works by setting USER to '-f root' during the initial handshake. This tricks the daemon into executing the system login binary with a force flag, granting a root shell without credentials. This highlights the ongoing risk of legacy protocols like telnet, which should be disabled in favor of SSH.

Fixes are available in Inetutils 2.8. System administrators should update immediately, block port 23, or backport the specific commit that sanitizes the USER input. The vulnerability underscores why network services must never trust client-controlled environment variables for authentication decisions.