Hackers Scan Nearly 800,000 Telnet Servers as Critical Linux Flaw Sees Active Exploitation

A long-standing authentication bypass in GNU InetUtils telnetd has triggered widespread scanning and early-stage attacks across legacy and IoT systems.

Internet security watchdog Shadowserver reports that nearly 800,000 internet-exposed IP addresses currently show Telnet fingerprints, amid ongoing attacks exploiting a critical authentication bypass vulnerability in GNU InetUtils.

The vulnerability, tracked as CVE-2026-24061, affects GNU InetUtils versions 1.9.3 through 2.7 and was patched only recently in version 2.8, released on January 20. Despite the fix, a massive number of exposed Telnet services remain at risk.

What Is the Vulnerability

The flaw resides in the telnetd server’s handling of environment variables during authentication.

According to the researcher who disclosed the issue, telnetd passes the user-controlled USER environment variable directly to /usr/bin/login, which typically runs with root privileges. By crafting the variable as -f root and initiating a connection using the telnet -a option, attackers can bypass authentication entirely and log in as root.

The vulnerability remained undetected for 11 years, largely due to Telnet’s declining visibility despite its continued use in legacy environments.

Scale of Exposure

Shadowserver currently tracks:

• ~800,000 internet-exposed Telnet instances worldwide
• 380,000+ located in Asia
• ~170,000 in South America
• 100,000+ in Europe

There is no clear visibility into how many of these systems have already applied the patch or implemented mitigations.

Shadowserver emphasized that Telnet should never be publicly exposed, but remains common on legacy and embedded systems, especially IoT devices that operate for years without updates.

Exploitation Observed in the Wild

Cybersecurity firm GreyNoise confirmed that attackers began exploiting CVE-2026-24061 one day after the patch was released.

Observed attack activity includes:

• 18 attacker IP addresses
• 60 malicious Telnet sessions
• Abuse of Telnet IAC option negotiation
• Root account targeted in 83.3% of attempts

While most attacks appeared automated, GreyNoise also identified several human-operated intrusions.

After gaining shell access, attackers attempted to deploy Python-based malware during reconnaissance. These payloads failed in many cases due to missing binaries or directories on the target systems.

Why This Is Dangerous

GNU InetUtils ships with many Linux distributions and often runs on:

• Legacy servers
• Embedded Linux devices
• IoT cameras and sensors
• Industrial and OT environments

These systems frequently operate without updates for a decade or more, making them ideal targets for attackers seeking easy entry points and persistent access.

Mitigation Guidance

Organizations that cannot immediately upgrade to GNU InetUtils 2.8 should take urgent defensive steps:

• Disable the telnetd service entirely
• Block TCP port 23 at network boundaries
• Audit legacy and embedded systems
• Replace Telnet with secure alternatives such as SSH