Hackers have discovered authentication bypass vulnerabilities in versions of traditional client/server application protocols and are looking for open Telnet ports on servers. Over 800,000 servers could be actively targeted in a real-world environment.

See also: On Demand | NYDFS MFA Compliance: A Real-World Solution for Financial Institutions

The risks to operational technology environments are particularly acute given the prevalence of potentially defective legacy and embedded equipment. Legacy and shadow Internet of Things devices also pose a risk. This is because Telnet is often enabled by default on such devices.

Ian Thornton-Trump, CISO at Inversion6, said the flaw is “an absolute gift for nation-state threat actors looking for persistence on OT systems.”

Defects are tracked as follows CVE-2026-24061was publicly revealed on January 20th, thanks to a security alert and a patch from programmers who maintain the widely used telnetd server software. coder warned This has a serious flaw and could be exploited by an attacker to gain root-level access to the system. The telnetd software is part of InetUtils. InetUtils is a set of free network utilities for the Unix-like operating system GNU, included in many Linux distributions.

If the attacker sends a specially created user variable, specifically a string -f root – As a user environment variable to the server: “The client automatically logs in as root, bypassing the normal authentication process.” said The developer is Simon Josephson.

The InetUtils team has released telnetd version 2.8 that blocks exploitation of this flaw and has also published a standalone patch.

All previous versions of telnetd after 1.9.3 released in May 2015 are vulnerable. Given this flaw and its severity, the InetUtils team recommended that organizations either “not run a telnetd server at all” or use firewalls to “restrict network access to Telnet ports to trusted clients,” and in such cases, “apply the patch or upgrade to a new release that incorporates the patch.”

As a workaround, either disable telnetd or the user can use the “InetUtils telnetd custom login(1) Tools that do not allow the use of '-f' Parameter. ”

Security experts are urging organizations to immediately audit their infrastructure for all devices, including shadow IoT, and immediately remediate any deficiencies.

“This is really setting the stage for the ‘cyber Pearl Harbor’ scenario that cyber threat researchers have in mind. In my opinion, this is a once-in-a-decade type of vulnerability and should be addressed as a top priority,” Thornton-Trump told Information Security Media Group.

He said this risk is particularly acute in “developing countries, which may have large amounts of legacy technology that is not supported by manufacturers.”

Widely used software

The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its report on Monday. catalog It created a list of known exploited vulnerabilities and set a February 16 deadline for federal civilian agencies to patch or mitigate the flaws.

Fixes for telnetd “must be packaged in various distributions before they can be implemented,” further complicating the patching race. warned Canadian Cyber ​​Security Centre.

“Until then, patches can only be implemented by modifying them in the code (in telnetd/utility.c) and compiling them separately,” the paper said. Sectors that could be at increased risk from the vulnerability include manufacturing, logistics and shipping, in part because of the widespread use of embedded systems running versions of Linux that are not updated after deployment, according to a security alert issued Monday by the Global Technology Industry Association.

The association flagged traditional networking equipment used by telecommunications providers around the world as high risk, as well as equipment aimed at small and medium-sized organizations that may include Telnet for remote troubleshooting purposes.

The organization recommends that organizations proactively scan their networks for signs to identify “legacy” or “shadow” IoT devices on the network that may be running vulnerable versions of GNU InetUtils without the administrator’s knowledge.

Multiple Debian and Ubuntu releases appear It is included as one of the vulnerable software.

Shadowserver Foundation is a nonprofit security organization that fights malware, botnets, and fraud. said It is not possible to “explicitly” scan instances of GNU InetUtils telnetd for CVE-2026-24061 due to “the lack of the ability to check in a secure manner.”

However, the watchdog said about 800,000 Telnet instances are still exposed to the internet, mainly in Asia and South America. At the country level, China counts approximately 130,000 exposed endpoints, Brazil 119,000, followed by the United States with 50,000, Japan with 41,000, Mexico with 30,000, and India with 27,000.

Experts advise never using Telnet because traditional protocols send usernames and passwords in clear text. If it must be used, administrators should completely lock it down and never expose it to the Internet.

“This is a great example of how vulnerabilities still exist in legacy systems/protocols. Make sure you’re not running it.” said Alan Woodward, a cybercrime expert and visiting professor of computer science at the University of Surrey, said in a post on social platform X.

Exploitation attempts are on the rise

Less than 24 hours after InetUtils published the Telnetd security bulletin, cybersecurity firm GreyNoise said That honeypot began logging both opportunistic and targeted exploitation attempts.

GreyNoise reported that it had observed direct exploitation attempts via Telnet sessions, at least one malware distribution server likely pushing botnet command and control software or cryptocurrency miners, and “dual-purpose infrastructure,” which refers to red teaming and other tools that can be used for both legitimate and malicious purposes. The company warned that a successful attempt could give the attacker permanent remote access, even if the Telnet shell is exited.

In many cases, attackers appear to be attempting to unleash Python-based malware after gaining access to a device. “This is a ‘zero-effort’ exploit that grants instant root access, making it highly attractive to botnet operators and state-sponsored attackers,” GTIA said.

One honeypot configured to look for signs of CVE-2026-24601 was compromised within 60 minutes. said Tyler Hudak, director of incident response at Inversion6, said in a post on LinkedIn. “The attacker is logged in as root It immediately executed commands, installed backdoors, and began scanning more targets,” he said.

“Organizations risk modeling this vulnerability are likely to review more than just on-premises equipment. It’s not just Linux servers that are affected; IoT devices are affected as well.”

“Your organization may be secure, but what about the devices your employees are using at home?” Haddak said.

Exploitation of the flaw has been the subject of discussion on pro-Russian hacking forums, and “we can definitely expect an increase in the scanning of available servers,” said Milivoj Lazic, head of threat intelligence at cybersecurity firm Dynarisk.

While some of these discussions focus on “terminal commands to carry out attacks,” they also detail more automated tools in development that “make it possible for people without specialized knowledge to carry out attacks,” he said.