CVE-2026-24061 CRITICAL telnetd security bug

irvinewade · January 23, 2026, 10:39am

CVE: https://www.cve.org/CVERecord?id=CVE-2026-24061

You really ought not be exposing telnetd on the internet but you never know. For sure, it is used internally in some corporate networks.

Christal · January 27, 2026, 9:37pm

Telnet is old. No one use it.. we have ssh.

irvinewade · January 27, 2026, 10:17pm

True.

This is false.

There are reports of active exploitation in the wild of this vulnerability. So this CVE must therefore be relevant. Someone is using it.

There are two related questions though:

Does anyone use it?
Does anyone use it exposed to the internet?

I absolutely guarantee you that the answer to the first question is “yes”.

There is another possible scenario though i.e. that telnet is installed and exposed but not in use (classic poor security practice) and so the only party using telnet is the intruder. (This kind of thing can happen when telnet gets installed for some temporary purpose but then noone remembers to deinstall it afterwards.)

So it doesn’t hurt to check all your computers to make sure that telnetd is not running or better still that it is not even installed.

Technically you can use telnet over SSL (or a range of other secure protocols to layer on or even secure extensions for telnet itself). So telnet is not necessarily insecure.

For sure, for ad hoc connection to a remote shell, SSH is vastly preferred over telnet in actual deployment.

SSH also offers additional functionality that telnet does not (e.g. port forwarding in either direction, X11 forwarding, SFTP). But then all that additional functionality is itself a potential security risk.

For what it’s worth, SSH has its own potential vulnerabilities with environment variables if you tinker with the configuration in unwise ways i.e. the default out-of-the-box sshd configuration should be fine.

Christal · January 30, 2026, 10:30pm

You are right. But using telnet over ssh … you know its like using udp over tcp.

irvinewade · January 31, 2026, 3:06am

There have been times when I’ve basically been forced to do that e.g. some older embedded device that supports telnet but not SSH, but you still want to make the connection secure against interception of traffic. So let the device use telnet but then port forward telnet over SSH.

Edit: PS It would be my understanding that even if you run telnet over SSH, you will still be vulnerable to this CVE if you are vulnerable to it at all.

Christal · January 31, 2026, 11:51pm

irvinewade,

i am kind of a noob with a high iq, i use computers and internet and have some deeper impressions but no deep experience on computers or actual networks. What i know is that humans do some stuff - especially not update software or deactivate old services if they should.

“udp over tcp” was hint for virtualization or vpn using. Some one use telnet for sure. But those who do, have fix it. And those who do not known should deactivate or firewall it - for more than a decade. I tried to made a joke, because i am a Noob.

A.I. will collect the unsafe not well configured systems and catch them all - for sure. Sometimes with Zero day exploits. So have backups and take care and have iron Firewall rules… vpn is not helping, its a blind spot!