A serious GNU authentication bypass vulnerability Threat actors are actively using the InetUtils telnetd service after a proof-of-concept exploit was made public on January 20, 2026 This article explores sanitization telnetd. . By altering the USER environment variable during telnet negotiation, the vulnerability enables attackers to obtain unauthorized root access to susceptible systems.

Overview of Vulnerabilities Versions 1.9.3 through 2.7 are affected by the high-severity security flaw, which is tracked as a remote authentication bypass in GNU InetUtils telnetd. Inadequate input sanitization, in which the telnetd server passes the USER environment variable straight to the login binary without validation, is the root of the vulnerability.

The system automatically logs an attacker in as root when they use the telnet -a or --login parameter and supply the specially constructed string "-f root" as the USER environment variable. This completely circumvents standard authentication procedures. Although the deployment failed because the honeypot targets' curl and Python installations were missing, this second-stage payload most likely represents botnet client software or cryptocurrency mining malware.

Early reconnaissance by security company Censys found about 3,000 exposed telnet services that might be running vulnerable GNU InetUtils versions, despite the vulnerability's high severity. The overall impact of the vulnerability has been constrained by this comparatively small attack surface and the waning use of telnet services in contemporary infrastructure.

Due to the small number of susceptible systems and the mostly fruitless exploitation attempts seen in their honeypot network, GreyNoise Labs described the exploitation campaign as a "nothingburger of a weakness." Because target environments lacked basic utilities like curl, Python, or properly configured SSH directories, many post-exploitation commands failed.