Threat actors are exploiting a critical vulnerability that affects hundreds of thousands of telnet servers, bringing an often-neglected threat vector back into the limelight.
One Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical authentication bypass flaw in the GNU InetUtils telnetd server to its Known Exploited Vulnerability (KEV) catalog. The flaw, tracked as CVE-2026-24061, has lingered in the open source program for more than a decade and, if exploited, could give attackers complete control of a device.
“If you are tired of modern age vulnerabilities, and remember the good old times on bugtraq, I hope you will appreciate this one,” security researcher Simon Josefsson wrote in his Jan. 20 disclosure on SecList.org.
According to Josefsson, the vulnerability was introduced in May 2015 with version 1.9.3 of InetUtils, a collection of common network utilities that inludes telnet programs for remote access. While CVE-2026-24061 was addressed with version 2.8 of InetUtils, the flaw is easy to exploit and attackers are already pouncing on it.
“GNU Inetutils Telnetd allows remote authentication bypass via an “-f root” value for the USER environment variable,” the Centre for Cybersecurity Belgium (CCB) wrote in an advisory last week, urging users to patch immediately. “This is a simple argument injection vulnerability that enables attackers to bypass authentication controls.”
Perhaps more concerning is the staggering number of exposed telnet servers across the globe, according to an emailed advisory from the Shadowserver Foundation. “We are ~800K telnet instances exposed globally — naturally, they should not be,” Shadowserver Foundation CEO Piotr Kijewski wrote in the advisory, adding that the foundation lacked a safe way to check for the vulnerability in exposed instances.
IoT Devices At Risk
Telnet is considered an obsolete network protocol that isn’t used much anymore because of its lack of security, transmitting data in plaintext between the client and server with no encryption. However, it is still used by legacy systems and Internet of Things (IoT) equipment.
“Telnet should not be publicly exposed, but often is especially on legacy IoT devices,” Kijewski wrote.
Despite the known risks associated with exposed telnet instances, not to mention the insecure nature of the protocol itself, Forescout Technologies charted what it called a “concerning trend” last year in its report titled “The Riskiest Connected Devices of 2025.”
“The use of [the Secure Shell protocol, or SSH] — which is encrypted — declined across all industries, but the use of Telnet — which is not encrypted — increased in every industry,” Forescout’s Vedere Labs wrote in the report. “The largest rise in Telnet usage occurred in government networks — growing from 2% to 10% of devices — which correlates with the rise in embedded operating systems.”
Organizations in manufacturing, healthcare, and government sectors have the most devices using telnet. Source: Forescout Technologies
The stats are even more distressing considering the attention that threat actors pay to telnet-related vulnerabilities and insecure IoT devices in general. Daniel dos Santos, vice president of research at Forescout, tells Dark Reading that the most common devices still using the protocol are printers, networking equipment, and VoIP devices, as well as operational technology (OT) like building automation controllers and programmable logic controllers.
He warns that the vulnerable InetUtils telnetd component is likely used by many of the devices, but it may be a challenge for organizations to track which products are vulnerable. “Security teams reviewing their networks will have to wait for vendors to issue patches that contain the fix for the telnet server. Our past experience with this type of supply chain vulnerability shows that this can take years,” dos Santos says, citing Forescout’s “Project Memoria” research into neglected TCP/IP vulnerabilities.
Time to Retire Telnet?
In a post on Medium, penetration tester Shivam Bathla wrote that even though telnet is an ancient protocol, he has encountered multiple instances of exposed telnet ports in systems and vehicles during pen-test engagements, which proves the protocol is “not a thing of the past but very relevant” to today’s threat landscape.
“And I must tell you, it blew my mind on how easy it was to exploit this vulnerability,” Bathla wrote.
Dos Santos says that 4% of all connected devices monitored by Forescout still use telnet. That may seem like a small number, but it accounts for a significant attack surface.
“Although this is a terrible practice, there are hundreds of thousands of devices with exposed telnet servers on the Internet,” he says. “Telnet was the 10th most attacked protocol last year according to our data, with most of the attacks relying on brute forcing, since authentication bypass or remote code execution vulnerabilities on telnet servers are not so common.”
While upgrading to a fixed InetUtils version mitigates the threat of CVE-2026-24061, Josefsson offered simple advice for organizations. “Do not run a telnetd server at all,” he wrote in his disclosure.
In lieu of that, he recommended organizations restrict network access to the telnet port to trusted clients only. As a temporary workaround, users can disable the telnetd server or enforce a custom login tool that does not permit use of the “-f” parameter.
Dos Santos urged organizations to make sure they don’t have devices or systems with exposed Telnet servers on the Internet. Additionally, high-risk devices should be segmented from the rest of the network.
