Infosec researchers mull curious case of Telnet ancient flaw • The Register

https://www.theregister.com/2026/02/11/were_telcos_tipped_off_to/

Publish Date: 2026-02-11 10:41:00

Telcos likely received advance warning about January’s critical Telnet vulnerability before its public disclosure, according to threat intelligence biz GreyNoise.

Global Telnet traffic “fell off a cliff” on January 14, six days before security advisories for CVE-2026-24061 went public on January 20. The flaw, a decade-old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root access exploitation.

GreyNoise data shows Telnet sessions dropped 65 percent within one hour on January 14, then 83 percent within two hours. Daily sessions fell from an average 914,000 (December 1 to January 14) to around 373,000, equating to a 59 percent decrease that persists today.

“That kind of step function – propagating within a single hour window – reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations,” said GreyNoise’s Bob Rudis and “Orbie,” in a recent blog.

The researchers unverified theory is that infrastructure operators may have received information about the make-me-root flaw before advisories went to the masses.

“A backbone or transit provider – possibly responding to a coordinated request, possibly acting on their own assessment– implemented port 23 filtering on transit links. The filtering went live on January 14. The public disclosure followed on January 20.”

As for supporting evidence? 18 operators, including BT, Cox Communications, and Vultr went from hundreds of thousands of Telnet sessions to zero by January 15.

Major cloud providers were mostly unaffected by this drop off, and in some cases like AWS, increased by 78 percent.

“Cloud providers have extensive private peering at major IXPs that bypass traditional transit backbone paths. Residential and enterprise ISPs typically don’t,” the researchers said.

All of…

Source