GNU InetUtils: Critical GNU InetUtils Vulnerability Allows Unauthenticated Root Access via “-f root”

Critical Authentication Bypass Flaw in GNU InetUtils telnetd Grants Immediate Root Access

A severe remote authentication bypass vulnerability (CVE pending) has been disclosed in the GNU InetUtils telnetd server, affecting versions 1.9.3 through 2.7. The flaw allows unauthenticated attackers to gain immediate root access by exploiting improper input validation in the handling of the USER environment variable.

Technical Details & Exploitation

The vulnerability stems from telnetd’s failure to sanitize the USER environment variable before passing it to /usr/bin/login. The login utility interprets the -f parameter as a command to bypass authentication, enabling attackers to craft a malicious USER value (e.g., -f root) and gain unrestricted root access.

Exploitation is straightforward:

USER='-f root' telnet -a localhost

This command directly spawns a root shell without authentication, demonstrating the flaw’s severity.

The issue was introduced in a March 19, 2015, commit aimed at improving telnetd functionality and remained undetected until its responsible disclosure on January 19, 2026. The root cause lies in insufficient variable expansion sanitization in telnetd/utility.c, where the _var_short_name() function returns unsanitized environment variables. Researchers warn that similar risks may exist for other untrusted variables, such as remote_hostname.

Mitigation & Patching

The GNU InetUtils team urges immediate action, recommending:

Disabling telnetd services or restricting access to trusted clients.
Applying security patches that sanitize variable expansion to prevent command injection.
Upgrading to patched releases once available.
Deploying custom login utilities that reject the -f parameter as a temporary workaround.

Impact & Risk

This vulnerability poses a critical risk to organizations running telnetd, particularly legacy systems requiring backward compatibility. The unauthenticated nature and ease of exploitation make it a high-priority patching requirement. Systems exposed to untrusted networks are at heightened risk of compromise.

Source: https://cyberpress.org/critical-gnu-inetutils-vulnerability-allows-unauthenticated-root-access-via-f-root/

GNU Project cybersecurity rating report: https://www.rankiteo.com/company/gnu-project

"id": "GNU1769002015",
"linkid": "gnu-project",
"type": "Vulnerability",
"date": "3/2015",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Open Source Software',
                        'name': 'GNU InetUtils',
                        'type': 'Software'}],
 'attack_vector': 'Remote',
 'date_detected': '2026-01-19',
 'date_publicly_disclosed': '2026-01-19',
 'description': 'A severe remote authentication bypass vulnerability (CVE '
                'pending) has been disclosed in the GNU InetUtils telnetd '
                'server, affecting versions 1.9.3 through 2.7. The flaw allows '
                'unauthenticated attackers to gain immediate root access by '
                'exploiting improper input validation in the handling of the '
                'USER environment variable.',
 'impact': {'operational_impact': 'Unauthenticated root access to affected '
                                  'systems',
            'systems_affected': 'GNU InetUtils telnetd (versions 1.9.3 through '
                                '2.7)'},
 'post_incident_analysis': {'corrective_actions': 'Sanitize variable expansion '
                                                  'to prevent command '
                                                  'injection; review other '
                                                  'untrusted variables (e.g., '
                                                  '`remote_hostname`) for '
                                                  'similar risks',
                            'root_causes': 'Insufficient variable expansion '
                                           'sanitization in '
                                           '`telnetd/utility.c`, where the '
                                           '`_var_short_name()` function '
                                           'returns unsanitized environment '
                                           'variables'},
 'recommendations': ['Disable telnetd services or restrict access to trusted '
                     'clients',
                     'Apply security patches that sanitize variable expansion '
                     'to prevent command injection',
                     'Upgrade to patched releases once available',
                     'Deploy custom `login` utilities that reject the `-f` '
                     'parameter as a temporary workaround'],
 'references': [{'source': 'GNU InetUtils Security Advisory'}],
 'response': {'containment_measures': 'Disabling telnetd services or '
                                      'restricting access to trusted clients',
              'remediation_measures': 'Applying security patches that sanitize '
                                      'variable expansion to prevent command '
                                      'injection; upgrading to patched '
                                      'releases'},
 'title': 'Critical Authentication Bypass Flaw in GNU InetUtils telnetd Grants '
          'Immediate Root Access',
 'type': 'Authentication Bypass',
 'vulnerability_exploited': 'Improper input validation in USER environment '
                            'variable handling'}

GNU InetUtils: Critical GNU InetUtils Vulnerability Allows Unauthenticated Root Access via “-f root”

Technical Details & Exploitation

Mitigation & Patching

Impact & Risk

Urban VPN Proxy: Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack

Aquasecurity: CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog

Rogers Communications and Fido: Rogers and Fido Confirm Data Breach Affecting Customer Information