Experts flag around 800,000 Telnet servers exposed to remote attacks - here's why users should be on their guard
  • Critical Telnet flaw (CVE-2026-24061) exposes 800,000 devices worldwide
  • Attackers gain root access, attempt Python malware deployment after bypassing authentication
  • Patch released; users urged to disable Telnet or block port 23

A major security vulnerability has been spotted in Telnet, an old remote-access tool, which is already being exploited on a fairly large scale, experts have warned.

Researchers at Shadowserver said they saw almost 800,000 IP addresses with Telnet fingerprints, suggesting an enormous attack surface.

Telnet is an old network protocol that allows users to remotely log into devices. Because it is outdated and insecure, it is not supposed to be exposed to the internet anymore, but hundreds of thousands of devices still are - especially older Linux systems, routers, and IoT devices.

Patches and workarounds

The authentication bypass vulnerability being abused is tracked as CVE-2026-24061 and was given a severity score of 9.8/10 (critical). It impacts GNU InetUtils versions 1.9.3 (released 11 years ago in 2015) through 2.7. It was fixed earlier this month, in version 2.8.

Citing Shadowserver data, BleepingComputer noted the majority of devices with Telnet fingerprints are from Asia (380,000), followed by 170,000 from South America, and around 100,000 from Europe. We don’t know how many of these devices have been secured against this vulnerability, but it is safe to assume that not all have.

"We are ~800K telnet instances exposed globally - naturally, they should not be. [..] Telnet should not be publicly exposed, but often is especially on legacy iot devices," Shadowserver Foundation said in its report.

The fix was released on January 20, and within a day, threat actors started probing for vulnerable endpoints, security researchers GreyNoise said. At first, at least 18 IP addresses made 60 Telnet sessions, gaining access to compromised devices without authentication. In the vast majority of cases (83%), the attackers obtained ‘root’ access and used it to try deploying Python malware. Most of the attempts failed, though.

Those that cannot apply the patch immediately should disable the telnetd service, or block TCP port 23 on all firewalls.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Source: TechRadar