Vulnerable systems include embedded systems and IoT devices with an exposed Telnet interface; servers and appliances that listen on TCP port 23 and use the vulnerable codebase, and Linux distributions that ship inetutils and leave telnetd enabled or installable, including Debian, Ubutnu, RHEL and SUSE, Dream said.
“A single network connection to port 23 is sufficient to trigger the vulnerability. No credentials, no user interaction, and no special network position are required,” it said.
Dream advised a number of immediate workarounds until the software can be patched, including migrating to secure alternatives such as SSH and disabling telnetd or running it without root privileges. Where that’s not possible, it advised blocking port 23 at the network perimeter and restricting its use to trusted hosts.
