Article Details

Were telcos tipped off to *that* ancient Telnet bug? Cyber pros say the signs stack up. Curious port filtering and traffic patterns suggest advisories weren’t the earliest warning signals sent. Telcos likely received advance warning about January's critical Telnet vulnerability before its public disclosure, according to threat intelligence biz GreyNoise. Global Telnet traffic "fell off a cliff" on January 14, six days before security advisories for CVE-2026-24061 went public on January 20. The flaw, a decade-old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root access exploitation. GreyNoise data shows Telnet sessions dropped 65 percent within one hour on January 14, then 83 percent within two hours. Daily sessions fell from an average 914,000 (December 1 to January 14) to around 373,000, equating to a 59 percent decrease that persists today. "That kind of step function – propagating within a single hour window – reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations," said GreyNoise's Bob Rudis and "Orbie," in a recent blog. The researchers unverified theory is that infrastructure operators may have received information about the make-me-root flaw before advisories went to the masses. "A backbone or transit provider – possibly responding to a coordinated request, possibly acting on their own assessment– implemented port 23 filtering on transit links. The filtering went live on January 14. The public disclosure followed on January 20." As for supporting evidence? 18 operators, including BT, Cox Communications, and Vultr went from hundreds of thousands of Telnet sessions to zero by January 15. Major cloud providers were mostly unaffected by this drop off, and in some cases like AWS, increased by 78 percent. "Cloud providers have extensive private peering at major IXPs that bypass traditional transit backbone paths. Residential and enterprise ISPs typically don't," the researchers said. All of this points to one or more Tier 1 transit providers in North America implementing port 23 filtering. US residential ISP Telnet traffic dropped within the US maintenance window hours, and the same occurred at those relying on transatlantic or transpacific backbone routes, all while European peering was relatively unaffected, they added. While GreyNoise acknowledged that correlation does not equal causation, its experts said a pre-advisory notification could explain the timing between traffic drop off and advisory releases, the specific port 23 filtering, and the fact that the filter is still in place today. "We can't prove this. The backbone drop could be entirely coincidental – ISPs have been slowly moving toward filtering legacy insecure protocols for years (Wannacry), and January 14 could simply have been when someone's change control ticket finally got executed. "But the combination of a Tier 1 backbone implementing what appears to be port 23 filtering, followed six days later by the disclosure of a trivially exploitable root-access telnet vulnerability, followed four days after that by a CISA KEV listing, is worth documenting and considering." The Register approached some of the telcos GreyNoise mentioned in its report for their take on the theory and we'll update this article if we hear back.