Computers with Telnet open are in immediate danger of being compromised due to a critical vulnerability that allows attackers to bypass authentication.
The Telnet remote access protocol has long been superseded by the more secure and encrypted SSH, but many IoT and embedded devices have continued to ship with Telnet exposed on the LAN interface for debugging purposes over the years.
Making things worse, the vulnerability, now tracked as CVE-2026-24061, is trivial to exploit remotely, and because it has existed in the codebase for the past 11 years since version 1.9.3, it likely impacts many devices that are no longer supported and will not receive firmware updates.
Trivial exploitation
“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter,” Simon Josefsson, a GNU contributor who submitted the patch, said on the OSS-SEC mailing list. “If the client supplies a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.”
In other words, the exploit is achieved with the simple command: USER=‘-f root’ telnet -a [host_ip]. This not only works against remote systems, but it can also serve as a privilege escalation exploit on the local machine if the telnet service (telnetd) is running.
Telnet is part of inetutils, the GNU network utilities package shipped with all Linux and other UNIX-based systems. Users are advised to deploy the patch as soon as possible or update to a patched version offered by their distribution. As a temporary mitigation, users are advised to either disable the telnet service entirely or filter access to it to only allow white-listed IP addresses.
Scan enterprise networks
The Telnet server should never be exposed to the internet in this day and age, but misconfigured servers and IoT devices that have it enabled continue to exist. These will be easily compromised by IoT worms and botnet malware. Malicious traffic monitoring service GreyNoise is already seeing attempts to exploit this vulnerability.
It’s more common to find Telnet exposed inside local networks, despite the fact that, given that it’s an obsolete program, it shouldn’t be used at all. Organizations should scan their networks and immediately isolate and firewall Telnet-enabled devices because all it takes is a malware infection on any other computer on the network for attackers to have an opportunity to exploit them. Executing this attack doesn’t require any special privileges, as low-privileged users can typically initiate telnet connections.