- Critical Telnet Vulnerability (CVE-2026-24061) Exposing 800,000 Devices Worldwide
- Attackers gain root access, attempt to deploy Python malware after bypassing authentication
- Patch released; users are encouraged to disable Telnet or block port 23
A major security vulnerability has been discovered in Telnet, an old remote access tool that is already being exploited on a fairly large scale, experts have warned.
Researchers at Shadowserver said they saw nearly 800,000 IP addresses with Telnet fingerprints, suggesting a huge attack surface.
Telnet is an old network protocol that allows users to remotely log into devices. Because it’s outdated and insecure, it should no longer be exposed to the Internet, but hundreds of thousands of devices still are — especially older Linux systems, routers, and IoT devices.
Patches and workarounds
The authentication bypass vulnerability being exploited is tracked as CVE-2026-24061 and received a severity score of 9.8/10 (Critical). It affects GNU InetUtils version 1.9.3 (released 11 years ago in 2015) through 2.7. It was fixed earlier this month, in version 2.8.
Referring to Shadowserver data, Bleeping Computer noted that the majority of devices with Telnet fingerprints are from Asia (380,000), followed by 170,000 from South America and about 100,000 from Europe. We don’t know how many of these devices have been secured against this vulnerability, but it’s safe to assume that not all of them are.
“We are approximately 800,000 telnet instances exposed globally – of course they shouldn’t be. [..] Telnet should not be publicly exposed, but often is, especially on older IoT devices,” the Shadowserver Foundation said in its report.
The patch was released on January 20, and within a day, threat actors began probing for vulnerable endpoints, security researchers GreyNoise said. Initially, at least 18 IP addresses made 60 Telnet sessions and accessed compromised devices without authentication. In the vast majority of cases (83%), the attackers gained ‘root’ access and used it to try to deploy Python malware. However, most of the attempts failed.
Those who cannot apply the patch immediately should disable the telnetd service or block TCP port 23 on all firewalls.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
