This detection rule identifies a vulnerability in the telnet service for Linux systems, tracked as CVE-2026-24061, which allows an attacker to bypass authentication and log in directly as root. The vulnerability arises from the ability to craft a specifically formatted USER environment variable (-f root) that is passed directly to the login process without proper sanitization. If successful, this enables unauthorized access to sensitive system resources and can result in a complete compromise of the system. The rule captures instances where the login process is initiated by telnetd with the malicious command line parameters, specifically monitoring the process details and its context.