This detection rule identifies attempts to exploit a Telnet remote authentication bypass vulnerability (CVE-2026-24061) affecting GNU Inetutils telnetd. The issue arises when a remote attacker supplies a crafted `-f <username>` value through the `USER` environment variable, allowing unauthorized access and spawning a login process with elevated privileges. The rule relies on monitoring process executions where the `telnetd` service is initiated and subsequently checks for any executions of the `login` process that includes the `-f` flag. This detection is critical due to the potential for an attacker to gain root access without authentication. Investigative measures include reviewing the process execution lineage, confirming the legitimacy of the `telnetd` service running on the host, and monitoring post-login activities for any signs of exploitation or unauthorized actions. Quick isolation and remedial actions, such as terminating suspicious sessions and applying patches, are recommended to mitigate associated threats.