By rssfeeds-admin 
The flaw allows attackers to gain unauthorized root access to vulnerable systems by manipulating the USER environment variable during telnet negotiation.
Vulnerability Overview
The security flaw, tracked as a remote authentication bypass in GNU InetUtils telnetd, affects versions 1.9.3 through 2.7 and has been classified as high severity.
The vulnerability stems from improper input sanitization where the telnetd server passes the USER environment variable directly to the login binary without validation.
When an attacker supplies the specially crafted string “-f root” as the USER environment variable and uses the telnet -a or --login parameter, the system automatically logs them in as root, completely bypassing normal authentication mechanisms.
This occurs because the login utility interprets the -f flag as a command to skip authentication checks.
The bug was introduced in a commit made on March 19, 2015, and was included in version 1.9.3 released on May 12, 2015.
Security researcher Kyu Neushwaistein (Carlos Cortes Alvarez) discovered and reported the vulnerability on January 19, 2026, prompting an immediate security advisory from GNU maintainer Simon Josefsson.
Within 18 hours of the public disclosure, threat intelligence firm GreyNoise Labs detected active exploitation attempts targeting vulnerable telnet services across the internet.
Analysis of network traffic captured from honeypot sensors revealed 18 unique attacker source IP addresses conducting 60 distinct exploitation attempts.
| Metric | Value |
|---|---|
| Total Packets Captured | 1,525 |
| Total Data Volume | 104,025 bytes (101.6 KB) |
| Telnet Protocol Frames | 712 (46.7% of packets) |
| Unique TCP Sessions | 60 |
| Unique Attacker IPs | 18 |
| First Attack Timestamp | Jan 21, 2026 07:19:15 UTC |
| Last Attack Timestamp | Jan 22, 2026 04:08:41 UTC |
The most prolific attacker (178.16.53.82) launched 12 separate exploitation sessions targeting 10 unique systems, using a consistent payload configuration with 9600 baud terminal speed and XTERM-256COLOR terminal type.
This pattern suggests the use of automated exploitation toolkits rather than manual keyboard-driven attacks.
Attack Methodology and Payloads
All observed attacks follow a standard telnet negotiation sequence where malicious actors inject the USER environment variable during the initial connection handshake.
The exploit leverages telnet’s IAC (Interpret As Command) protocol feature to embed the authentication bypass payload.
Attack payloads varied across different threat actors, with terminal speed configurations ranging from 0 baud (no negotiation) to 38,400 baud.
Terminal type declarations included uppercase “XTERM-256COLOR,” lowercase “xterm-256color,” “screen-256color” for GNU Screen multiplexer users, and generic “UNKNOWN” types.
While 83% of attackers targeted the root account directly, some sophisticated actors tested alternative accounts including “nobody,” “daemon,” and even fictional usernames like “nonexistent123,” suggesting attempts to evade detection systems monitoring for root access attempts.
Following successful exploitation, attackers executed reconnaissance commands to fingerprint compromised systems.
The most common post-exploitation activity involved running system enumeration commands including uname -a for kernel information, id for user context, cat /proc/cpuinfo for hardware details, and cat /etc/passwd for user account enumeration.
One attacker (216.106.186.24) attempted to establish persistence by injecting an SSH public key into the root account’s authorized_keys file.
The RSA 3072-bit key originated from “root@s51865.vps.hosting,” indicating the use of rented VPS infrastructure for attack operations. However, this persistence attempt failed due to the absence of the .ssh directory on the target system.
The same threat actor also attempted malware deployment by downloading a Python script from http://67.220.95.16:8000/apps.py using curl and executing it in the background with nohup.
This second-stage payload likely represents botnet client software or cryptocurrency mining malware, though the deployment failed due to missing curl and Python installations on the honeypot targets.
Despite the high-severity nature of the vulnerability, early reconnaissance by security firm Censys revealed approximately 3,000 exposed telnet services potentially running vulnerable GNU InetUtils versions.
This relatively small attack surface, combined with the declining use of telnet services in modern infrastructure, has limited the vulnerability’s overall impact.
GreyNoise Labs characterized the exploitation campaign as a “nothingburger of a weakness” due to the minimal number of vulnerable systems and the largely unsuccessful exploitation attempts observed in their honeypot network.
Many post-exploitation commands failed because target environments lacked basic utilities like curl, Python, or properly configured SSH directories.
Security monitoring teams should implement detection rules for suspicious telnet authentication patterns, particularly USER environment variables containing the “-f” flag or other command-line arguments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post telnetd Vulnerability Actively Exploited Following Public Proof-of-Concept Release appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.