The flaw, reported by a security researcher on January 19, 2026, allows unauthenticated attackers to gain root access by exploiting improper input sanitization in the telnetd authentication mechanism.
The vulnerability stems from how telnetd invokes the login program. When a telnet client connects, telnetd receives a USER environment variable from the remote client and passes it directly to /usr/bin/login without sanitization.
An attacker can craft a malicious USER environment variable containing the string “-f root”, a parameter that login (1) interprets as a flag to bypass routine authentication procedures.
By sending a telnet connection with the specially crafted USER environment variable using telnet’s -a or –login parameter.
An unauthenticated remote user bypasses the login authentication system entirely and gains immediate root-level access to the system.
The vulnerability was inadvertently introduced during a code modification on March 19, 2015, and was included in GNU InetUtils version 1.9.3 released on May 12, 2015
The flaw has persisted through all subsequent versions up to and including version 2.7. GNU InetUtils versions 1.9.3 through 2.7 are vulnerable.
According to OpenWall, organizations running telnetd from GNU InetUtils should immediately assess their exposure. GNU maintainers recommend three approaches:
| Approach | Description |
|---|---|
| Disable telnetd | Turn off telnet due to insecurity (preferred) |
| Restrict access | Allow only trusted clients |
| Upgrade software | Apply patches by Eggert & Josefsson |
This vulnerability demonstrates the persistent risks associated with legacy protocols like telnet.
The authentication bypass allows complete system compromise with root privileges, making this a critical security threat for any system that exposes telnetd to untrusted networks.
Organizations should prioritize either updating GNU InetUtils or immediately turning off telnetd. The availability of patches means that delayed remediation significantly increases the risk of compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical GNU InetUtils Vulnerability Allows Unauthenticated Root Access Via “-f root” appeared first on Cyber Security News.
Terraria developer Re-Logic has confirmed that updates will continue "beyond" the 1.4.6 update and the…
GTA 6 is due out November 19, 2026, but as we all know it’s suffered…
May 17, 2026 As the last day of school in Sioux Falls approaches this week,…
Without wanting to make too broad a generalization, it’s safe to say that Saturday Evening Post…
Microsoft has officially acknowledged a critical installation failure affecting its May 2026 Patch Tuesday cumulative…
A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept…
This website uses cookies.