logo of Akmatori
GitHub
11.02.2026

The Day Telnet Died: What CVE-2026-24061 Means for Your Infrastructure

head-image

Something unprecedented happened to internet infrastructure last month. GreyNoise's Global Observation Grid recorded a sudden collapse in telnet traffic, dropping from 74,000 sessions per hour to just 11,000. This was not a gradual decline. It was a step function, suggesting coordinated infrastructure changes at the backbone level.

What Happened

Before January 14, GreyNoise observed approximately 914,000 telnet sessions daily. After the drop, that number fell to around 373,000, a 59% sustained reduction that persists today. Major ISPs like Vultr, Cox Communications, and Charter/Spectrum saw their telnet traffic drop to zero. Five countries (Zimbabwe, Ukraine, Canada, Poland, and Egypt) completely vanished from telnet observation data.

The pattern strongly suggests that one or more Tier 1 transit providers implemented port 23 filtering on their backbone infrastructure.

CVE-2026-24061: The Critical Vulnerability

Six days after the traffic collapse, security researchers disclosed CVE-2026-24061, a CVSS 9.8 authentication bypass vulnerability in GNU Inetutils telnetd. The flaw exploits how telnetd handles the USER environment variable during option negotiation. An attacker can send -f root as the username, causing login to skip authentication entirely and grant root access.

This vulnerability sat undiscovered in the codebase for 11 years since a 2015 commit. Within hours of disclosure, exploitation attempts were observed in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on January 26, with a remediation deadline of February 16, 2026.

Why This Matters for SRE Teams

Telnet may feel like ancient history, but it persists in unexpected places:

  • Legacy network appliances and switches
  • Embedded systems and IoT devices
  • Industrial control systems
  • Old Linux installations running GNU Inetutils
  • Internal jump hosts and bastion servers

If you have any GNU Inetutils telnetd instances running, they are now trivially exploitable by anyone who can reach port 23.

What You Should Do

  1. Audit your infrastructure for any services listening on port 23
  2. Patch immediately to GNU Inetutils 2.7-2 or later
  3. Disable telnet entirely if you do not have an explicit business need
  4. Block port 23 at your firewall perimeter
  5. Switch to SSH for remote administration

The coordinated backbone filtering suggests that security teams with advance notice took drastic action to protect infrastructure. Your organization should follow suit.

Conclusion

The telnet protocol has been considered insecure for decades, but legacy systems persist. CVE-2026-24061 makes this technical debt an immediate operational risk. Take this as the wake-up call to audit your environment and eliminate unencrypted remote access protocols.

Need help monitoring and automating security responses across your infrastructure? Check out Akmatori, the open-source AI agent platform for SRE teams. Deploy AI-powered incident response on Gcore's global infrastructure for reliable, low-latency operations.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free