Waldo JaquithFeb 11
I'm just reading this GNU telnetd CVE from last month. I did not realize that telnet was still a thing, but it turns out anybody could provide a username of "-f root" and, boom, they had root. The vulnerability existed for 11 years. *Wow*. https://www.cve.org/CVERecord?id=CVE-2026-24061
Show threadPaul_IPv6

@waldoj

my first reaction when i read this was "who uses telnet these days" but then realized that this is probably exactly why no one was fixing bugs in telnetd.

Feb 12 at 1:47amWeb
Show threadJohn TimaeusFeb 12

@paul_ipv6 @waldoj

I recently heard about a major ICS/OT gear mfg that ships all end devices with telnet open and well known default creds..."for initial configuration."

Show threadPaul_IPv6Feb 12

@johntimaeus @waldoj

RIPE did a document with recommendations for edge devices, including not having default passwords, requiring setting a decent password before starting to route packets, etc. in the early 1990s. sad that vendors are still shipping vulnerable boxes...

Show threadJohn TimaeusFeb 12

@paul_ipv6 @waldoj

Grid control devices.

Of course they will never be connected to the internet because segmentation works.

@vncresolver

Show threadSteve HoldenFeb 12
@johntimaeus @paul_ipv6 @waldoj That seems quaintly 20th century -right up until the law suits begin. Have they never heard of “secure by design”?