Telnet Traffic Plummets 83% — Hypothesis of Tier 1 Blocking Before CVE Disclosure [2026]

Telnet Traffic Plummets 83% — What Happened 6 Days Before the CVE Release?

• On January 14, 2026, global Telnet sessions decreased by 65% in just one hour.
• The GNU Inetutils telnetd vulnerability (CVE-2026-24061) was disclosed 6 days later.
• Current Telnet traffic is about one-third of what it used to be.

50,000 Telnet Sessions Vanish in One Hour

On January 14, 2026, at 21:00 UTC, global Telnet sessions plummeted from approximately 74,000 to 22,000. Within two hours, they had dropped by 83% compared to the baseline^{[GreyNoise Labs]}. Eighteen major ASNs went completely silent, and five countries, including Zimbabwe, disappeared from Telnet data.

Root Shell Takeover Vulnerability Revealed 6 Days Later

On January 20, CVE-2026-24061 was disclosed. A flaw exists in GNU Inetutils telnetd where argument injection occurs during the processing of the USER environment variable^[NVD]. By sending -f root as the username, a root shell can be obtained without authentication. On January 26, CISA added it to the KEV catalog, requiring federal agencies to take action by February 16^[CISA].

Hypothesis: Proactive Blocking by Backbone Providers

The reason for the traffic drop 6 days before the vulnerability disclosure is intriguing. GreyNoise researchers suggest that Tier 1 backbone providers may have received advance notice and implemented port 23 filtering^{[GreyNoise Labs]}. Cloud providers were less affected. AWS traffic increased by 78%, and Contabo by 90%. Only residential ISPs took a major hit.

Currently, weekly Telnet sessions are at 320,000, a 70% decrease from the 1.08 million in early December. This accelerates Telnet’s demise. We recommend patching GNU Inetutils to 2.7-2 or disabling Telnet altogether.

Frequently Asked Questions (FAQ)

Q: How does CVE-2026-24061 work?

A: GNU Inetutils telnetd has an argument injection vulnerability when processing the USER environment variable. An attacker can send -f root as the username to bypass authentication and obtain a root shell. This is a critical vulnerability that allows remote takeover of the server without any authentication.

Q: What should I use instead of Telnet?

A: SSH (Secure Shell) is the standard replacement. It encrypts all communication and supports key-based authentication. Telnet transmits data in plaintext, making it a long-standing security risk. This incident highlights that many systems are still running Telnet.

Q: Does this affect regular users?

A: Mostly, there’s no direct impact. Telnet is primarily used for server administration and network equipment configuration. However, older IoT devices or industrial equipment might rely on Telnet, so administrators should consider patching or switching protocols.

If you found this helpful, please subscribe to AI Digester.

References

• The Day the Telnet Died – GreyNoise Labs (2026-02-10)
• CVE-2026-24061 – NVD (2026-01-20)
• Known Exploited Vulnerabilities Catalog – CISA (2026-01-26)