Sudden Telnet Traffic Drop. Are Telcos Filtering Ports to Block Critical Vulnerability?
2 73An anonymous reader shared this report from the Register: Telcos likely received advance warning about January's critical Telnet vulnerability before its public disclosure, according to threat intelligence biz GreyNoise. Global Telnet traffic "fell off a cliff" on January 14, six days before security advisories for CVE-2026-24061 went public on January 20. The flaw, a decade-old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root access exploitation. GreyNoise data shows Telnet sessions dropped 65 percent within one hour on January 14, then 83 percent within two hours. Daily sessions fell from an average 914,000 (December 1 to January 14) to around 373,000, equating to a 59 percent decrease that persists today.
"That kind of step function — propagating within a single hour window — reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations," said GreyNoise's Bob Rudis and "Orbie," in a recent blog [post]. The researchers unverified theory is that infrastructure operators may have received information about the make-me-root flaw before advisories went to the masses...
18 operators, including BT, Cox Communications, and Vultr went from hundreds of thousands of Telnet sessions to zero by January 15... All of this points to one or more Tier 1 transit providers in North America implementing port 23 filtering. US residential ISP Telnet traffic dropped within the US maintenance window hours, and the same occurred at those relying on transatlantic or transpacific backbone routes, all while European peering was relatively unaffected, they added.
2 comments
Re:Serious Question (Score: 5, Funny)
by Archfeld ( 6757 ) on <treboreel@live.com> on Saturday February 14, 2026 @03:40PM (#65989204)
Helo
Disclosure Process (Score: 5, Interesting)
by darkain ( 749283 ) on Saturday February 14, 2026 @12:51PM (#65988962)
"Telcos likely received advance warning"
Yes, there is a semi-secret mailing list of organizations that are informed of CVEs before public disclosure. Without being on the inside of this particular vulnerability, I can say with 99% certainty that this is indeed the case.
I was brought on as a contractor to help evaluate one of the "sudo" privilege escalation attacks years ago, to test it on a number of platforms. I had about one to two weeks advanced notice of the CVE before it went public to help evaluate potential risk, which is where the "scores" come from. Note, in this context, a platform is more than just a single vendor or single OS, I was brought on as the subject matter expert for a particular CPU architecture and F/OSS operating system combination to see if the exploit was valid there as well. Testing required seeing if the same exploit worked across OS revisions, patch levels, CPU architectures, and comparing it to other OSes with similar hardware configurations.
There is a whole community behind the scenes of people who are deeply passionate about security doing this work behind closed doors. Many of these people are industry professionals at the hyper-scalers and OS vendors (both open and closed source) and push out patches there first before anything goes public.