telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
The attacker sends the value "-f root" to the telnetd server as the content of the USER environment variable when establishing a Telnet session. This value is interpreted as a command-line argument (CWE-88: argument injection), causing the authentication mechanism to be bypassed and the session to be opened with root user privileges. The attack requires no authentication, user interaction, or special privileges — only network access to the telnetd service is sufficient.
An unauthorized remote attacker gains full system access with administrator (root) privileges, enabling server takeover, data read and modification, and further actions within the victim's network.
Immediately apply patches indicated in the project repository commits (ccba9f748aa8d50a38d7748e2e60362edd6a32cc and fd702c02497b2f398e739e3119bed0b23dd7aa7b). Until updating, it is recommended to disable the telnetd service and replace it with a more secure alternative (e.g., SSH). Monitor Debian Linux distribution package updates and apply them immediately upon release.
GNU Inetutils versions up to 2.7 inclusive (telnetd); Debian Linux-based systems using the inetutils package
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian
OSDebian11.0Gnu Inetutils
APPGnu1.9.3 – 2.7
CISA KEV — detailsi
- Vendori
- GNU
- Producti
- InetUtils
- Added to KEVi
- January 26, 2026
- Remediation deadline (US Federal)i
- February 16, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych