A proof-of-concept exploit for CVE-2026-24061, a critical remote code execution vulnerability in the GNU Inetutils telnetd, has surfaced, with security researchers warning that over 800,000 vulnerable instances remain publicly accessible on the internet.
The vulnerability allows unauthenticated attackers to execute arbitrary commands on affected systems running vulnerable versions of the telnetd service.
Vulnerability Overview
CVE-2026-24061 affects GNU InetUtils telnetd, a legacy remote login service that provides unencrypted terminal access over the network.
The vulnerability stems from improper input validation in the telnet daemon, allowing attackers to bypass authentication mechanisms and execute arbitrary commands on target systems.
With the release of working proof-of-concept code, exploitation is now trivial for threat actors with minimal technical expertise.
The Shadowserver Foundation’s Accessible Telnet Report reveals the scale of the problem.
Approximately 800,000 telnet instances remain exposed on port 23/TCP across the internet, presenting an attractive target surface for mass-exploitation campaigns.
These statistics underscore a persistent reality: legacy services continue operating in production environments despite their well-documented security risks.
Telnet transmits all data including login credentials in plaintext, making compromised systems immediately valuable for credential harvesting and lateral movement.
When combined with RCE vulnerabilities like CVE-2026-24061, exposed telnet services become critical infrastructure attack vectors.
Organizations should immediately audit their network perimeter for exposed Telnet services on port 23/TCP and alternative ports (2323, 2222).
Shadowserver’s dashboard provides real-time statistics on accessible telnet instances by country, sector, and ASN.
Priority remediation involves disabling telnetd entirely, migrating to SSH, or implementing strict firewall rules limiting telnet access to trusted internal networks only.
Network defenders can reference Shadowserver’s severity classifications marked MEDIUM for telnet exposure and CRITICAL for confirmed compromises.
The foundation also flags Zyxel CPE devices vulnerable to CVE-2024-40891 and systems compromised by the 7777 botnet with identical urgency.
Security teams should monitor threat intelligence feeds for exploit activity targeting this vulnerability.
Given the accessibility of 800K+ instances and widespread PoC availability, mass scanning and exploitation campaigns are highly probable.
Organizations operating legacy telnet infrastructure face imminent compromise risk and should prioritize remediation accordingly.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.