Cybersecurity

Telnet Is Still Running On Your Servers And I Want To Retire

NeglectedSheep

2 min read
Telnet Is Still Running On Your Servers And I Want To Retire

Oh good. Another Tuesday. Another 9.8. Another reason I can't finish my coffee before the alerts start screaming.

CVE-2026-24061 is a critical authentication bypass in GNU InetUtils telnetd, versions 1.9.3 through 2.7. A wolf doesn't even need credentials. They just knock on the telnet port, wave hello, and the server hands them root like it's a welcome basket. No password. No friction. Just full control of your infrastructure because someone left the barn door not just unlocked, but actively welcoming strangers.

A 9.8 out of 10. For TELNET. A protocol older than most of my regrets.

Here's the part that's going to make me go lie down in a field somewhere. Telnet was supposed to be dead. We buried it. We held a funeral. SSH showed up in 1995 and we all collectively agreed to move on with our lives. And yet, here we are in 2026, issuing critical CVEs for a service that has absolutely no business running on anything connected to electricity.

I have personally told the Flock to stop using telnet approximately nine hundred times. I have sent the emails. I have made the tickets. I have stood in the metaphorical pasture and screamed into the wind. And somewhere, on some forgotten server that nobody documented, telnetd is sitting there, listening on port 23, waiting to ruin my weekend.

The Shepherds, naturally, want a one-page executive summary and assurance that this "won't impact the business." I want eight consecutive hours of sleep. We're both going to be disappointed.

The hole in the fence here is trivially exploitable. Remote. Unauthenticated. Root. If you have this running externally, I am so sorry, but also, why are you like this.

Remediation

Fine. Here's what you do, and I'm only saying this once because I need to go stare at a wall.

First: Find every single instance of telnetd running in your environment. Use your scanner. Use grep. Use shame. Find it.

Second: Turn it off. Disable it. Kill it. systemctl disable telnet.socket and don't look back. Use SSH like a person who exists in the current century.

Third: If some ancient system "requires" telnet because it can't speak SSH, that system needs to be wrapped in its own isolated network segment with the Electric Fence cranked up to maximum, not touching anything you care about.

Fourth: Shear your InetUtils packages anyway. Update to a patched version if you somehow cannot remove telnet. But seriously. Remove telnet.

There is no fourth step that makes telnet acceptable. I just needed you to know that.

Still finding telnetd on prod servers and choosing not to feel anything anymore.

Original Report: https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html