800,000 Telnet Servers Vulnerable to Remote Attacks
Nearly 800,000 Telnet servers are currently vulnerable to remote attacks, according to the internet security organization Shadowserver. This alarming statistic points to a significant weakness in network security stemming from a flaw in the GNU InetUtils telnetd server.
Overview of the Vulnerability
The critical vulnerability, identified as CVE-2026-24061, allows attackers to bypass authentication processes. This issue affects GNU InetUtils versions 1.9.3 to 2.7, which have been in circulation since 2015. The flaw was patched in version 2.8, released on January 20, providing users with an essential update to secure their servers.
Nature of the Exploit
Simon Josefsson, an open-source contributor, elaborated on the vulnerability. The telnetd server runs the login program as root, using the USER environment variable from the client. If a crafted USER value, such as “-f root,” is supplied, attackers can gain root access without standard authentication.
Global Impact and Distribution
Shadowserver’s tracking data reveals that over 800,000 exposed Telnet instances are spread across the globe:
- Asia: 380,000 instances
- South America: 170,000 instances
- Europe: 100,000 instances
Despite this wide exposure, there is no current data indicating how many of these devices have been secured against the CVE-2026-24061 vulnerability. Piotr Kijewski, CEO of Shadowserver, emphasized the urgency of addressing these security weaknesses, particularly as many devices, especially legacy IoT products, often remain unupdated.
Recent Exploits
Following the disclosure of CVE-2026-24061, cybersecurity firm GreyNoise reported limited attacks exploiting this vulnerability. The malicious activities began on January 21, just one day after the patch was released. Attackers utilized 18 different IP addresses to conduct 60 Telnet sessions.
Attack Methods and Effects
These attacks primarily targeted the ‘root’ user, accounting for 83.3% of attempts. Although many actions appeared to be automated, some instances involved manual intervention. Attackers subsequently attempted to deploy Python malware after gaining access but faced setbacks due to missing files and directories.
Recommended Security Measures
For administrators unable to upgrade their systems immediately, it is crucial to disable the vulnerable telnetd service or close TCP port 23 on firewalls. These proactive measures can help mitigate potential risks until software updates can be implemented.
As the use of Telnet on legacy and embedded devices persists, addressing vulnerabilities like CVE-2026-24061 is essential for maintaining robust internet security. Continuous vigilance and prompt action can significantly decrease the likelihood of being targeted by attackers exploiting these weaknesses.
