800,000 Telnet Servers Remain Vulnerable to Critical Authentication Bypass

Nearly 800,000 Telnet servers remain exposed to remote attacks exploiting a critical authentication bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd. Security watchdog Shadowserver reports this widespread exposure despite patches being available since January 20, 2026, putting countless legacy devices at risk.

"The telnetd server invokes /usr/bin/login passing the USER environment value from the client," explained open-source contributor Simon Josefsson, who discovered the flaw. "By crafting a USER value of '-f root' and using telnet's login parameter, attackers bypass authentication entirely and gain automatic root access."

The vulnerability affects GNU InetUtils versions 1.9.3 through 2.7, software commonly embedded in industrial control systems, network equipment, and IoT devices. Shadowserver Foundation CEO Piotr Kijewski emphasized the scale: "We're tracking approximately 800,000 exposed Telnet instances globally - naturally, they shouldn't be. Telnet should never be publicly exposed, yet persists especially on legacy IoT devices."

GreyNoise has already detected active exploitation attempts originating from 18 IP addresses. Their analysis shows attackers injecting malicious USER parameters during Telnet option negotiation, successfully gaining shell access in 83.3% of observed cases targeting root accounts. While some attacks appear automated, researchers noted concerning "human-at-keyboard" activity patterns.

Practical mitigation steps:

1. Immediate upgrade to GNU InetUtils version 2.8 or later
2. Disable telnetd services if not essential
3. Block TCP port 23 at network perimeters
4. Inventory legacy devices for Telnet exposure using tools like Shodan

Organizations should prioritize remediation given the trivial exploitation path and high-value root access provided by this vulnerability. As Kijewski notes: "These exposures represent low-hanging fruit for attackers targeting critical infrastructure."