> a mountain of legacy and they are fine.

telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.

> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.