A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years.

The vulnerability, tracked as CVE-2026–24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.

“Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).