Mastodawn

Yuvraj Hanspal Feb 23

I'm just reading this GNU telnetd CVE from last month. I did not realize that telnet was still a thing, but it turns out anybody could provide a username of "-f root" and, boom, they had root. The vulnerability existed for 11 years. *Wow*. https://www.cve.org/CVERecord?id=CVE-2026-24061

Waldo Jaquith Feb 11

Don't miss this explanation of how backbone providers coordinated on this telnetd exploit in advance of the CVE release, and simply blocked port 23 traffic. https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/

2026-01-14: The Day the telnet Died – GreyNoise Labs

On January 14, 2026, global telnet traffic observed by GreyNoise sensors fell off a cliff. A 59% sustained reduction, eighteen ASNs going completely silent, five countries vanishing from our data entirely. Six days later, CVE-2026-24061 dropped. Coincidence is one explanation.

GreyNoise Labs

John Kristoff Feb 11

@waldoj I'm not aware of any backbone provider coordination. That rarely happens for blocking anything - and probably the only time I can even recall there was such a widely coordinated port block was with Slammer over 20 years ago.

Another viewpoint here: https://www.terracenetworks.com/blog/2026-02-11-telnet-routing

Reports of Telnet’s Death Have Been Greatly Exaggerated — Terrace Networks

We see no evidence that specific core network autonomous systems have blocked Telnet, contrary to previous reports. We specifically see continued non-spoofable Telnet traffic from networks on which GreyNoise saw 100% drop-off. We suspect initial results may have been measurement artifacts or specifi

Terrace Networks

Waldo Jaquith Feb 11

@jtk Interesting!

Nelson Minar Feb 12

@jtk @waldoj yeah I find this rebuttal convincing too: it was a little hard for me to believe port 23 was being filtered so aggressively. The only thing I can think of close to that now is port 25 and that's mostly residential ISPs blocking traffic from their customers on the assumption it's spam.

Waldo Jaquith Feb 12

@nelson @jtk I remember when that started, ~20-odd years ago. It was frustrating for me, as somebody running a home mail server, but I had to concede that it made sense as a spam-reduction strategy.

Carl Malamud Feb 12

@waldoj @joebeone omg.

Paul_IPv6 Feb 12

my first reaction when i read this was "who uses telnet these days" but then realized that this is probably exactly why no one was fixing bugs in telnetd.

John Timaeus Feb 12

@paul_ipv6 @waldoj

I recently heard about a major ICS/OT gear mfg that ships all end devices with telnet open and well known default creds..."for initial configuration."

Paul_IPv6 Feb 12

@johntimaeus @waldoj

RIPE did a document with recommendations for edge devices, including not having default passwords, requiring setting a decent password before starting to route packets, etc. in the early 1990s. sad that vendors are still shipping vulnerable boxes...

John Timaeus Feb 12

@paul_ipv6 @waldoj

Grid control devices.

Of course they will never be connected to the internet because segmentation works.

Steve Holden Feb 12

@johntimaeus @paul_ipv6 @waldoj That seems quaintly 20th century -right up until the law suits begin. Have they never heard of “secure by design”?

AkaSci 🛰️Feb 12

@waldoj
I suppose most orgs don’t run telnetd on their servers.

Waldo Jaquith Feb 12

@AkaSci Boy, I hope not

der.hans Feb 12

@waldoj *Wow*, telnetd has been a thing the last 11 years?

telnet client[0], sure, but telnet daemon?

[0] Yeah, yeah, there are other tools now, but my fingers have typed telnet before I've thought of something else or figured out how to spell netcat :)

matthew green Feb 12

@waldoj this was a bug implemented many times across many telnet daemons. the first instance was in the 80s...

⁂ Fish Id Wardrobe Feb 12

@waldoj turns out, it depends on what telnet server you have. it wasn't universally true.