Nearly 800,000 Telnet servers exposed to remote attacks

Staff Editor 2026-01-26
Nearly 800,000 Telnet servers exposed to remote attacks

Nearly 800,000 Telnet servers exposed to remote attacks

https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/

Publish Date: 2026-01-26 10:19:00

Source Domain: www.bleepingcomputer.com

Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server.

The security flaw (CVE-2026-24061) already has a proof-of-concept exploit, impacts GNU InetUtils versions 1.9.3 (released in 2015) through 2.7, and was patched in version 2.8 (released on January 20).

“The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter,” explained open-source contributor Simon Josefsson, who reported it.

Wiz

“If the client supply a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or –login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.”

Today, Shadowserver said that it’s tracking nearly 800,000 IP addresses with Telnet fingerprints, over 380,000 from Asia, almost 170,000 from South America, and just over 100,000 from Europe. However, there is no information regarding how many of these devices have been secured against CVE-2026-24061 attacks.

“We are ~800K telnet instances exposed globally – naturally, they should not be. [..] Telnet should not be publicly exposed, but often is especially on legacy iot devices,” said Shadowserver Foundation CEO Piotr Kijewski.

Internet-exposed Telnet serversInternet-exposed Telnet servers (Shadowserver)

​GNU InetUtils is a collection of network utilities (including telnet/telnetd, ftp/ftpd, rsh/rshd, ping, and traceroute) used across multiple Linux distributions that can run without updates for more than a decade on many legacy and embedded devices. This explains its presence in IoT devices, as noted by Kijewski.

On Thursday, days after CVE-2026-24061 was disclosed, cybersecurity company GreyNoise reported that it had already detected…

Source

More Stories

Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy