800k Telnet Devices Open to Root-Login Bypass (CVE-2026-24061)
Shadowserver has identified about 800,000 IPs fingerprinted for Telnet activity, highlighting widespread exposure to the root-login bypass in GNU InetUtils telnetd (CVE-2026-24061) affecting 1.9.3–2.7 and patched in 2.8; attackers can bypass authentication by sending USER=-f root via Telnet IAC. GreyNoise detected limited exploits starting Jan 21 from 18 IPs across 60 sessions, with 83% targeting root; attackers also attempted Python malware deployment but failed due to missing binaries. Most exposed devices are in Asia and the Americas; admins should disable vulnerable telnetd or block port 23 until patching.