This rule identifies exploitation attempts targeting a critical Telnet remote authentication bypass vulnerability (CVE-2026-24061) found in GNU Inetutils telnetd. The flaw permits unauthenticated access when a crafted `-f <username>` is supplied via the `USER` environment variable, allowing an attacker to execute the `login` process with elevated privileges. The detection focuses on processes where the `login` command is executed with the `-f` flag, typically by the `telnetd` process, which indicates an exploitation attempt. The rule recommends investigating the parent process chain of suspicious `login` executions, validating the presence of the Telnet service, analyzing post-authentication activity for signs of exploitation, and checking for any related alerts in the previous 48 hours. It emphasizes the rarity of legitimate `-f` usages and advises actions such as isolating affected hosts, terminating suspicious sessions, and enforcing secure alternatives like SSH.