The Day the Telnet Died

> Tier 1 transit providers doing port filtering is EXTREMELY alarming.

I was admining a small ISP when blaster and its variants hit. Port filtering 139 and the rest was the easiest way to deal with it, and almost over night most of the ISPs blocked it, and we were better for it. There was a time when if you'd put a fresh XP install on the Internet you'd get 5-10 minutes until it would get restarted.

I guess if you're really an admin that needs telnet, you can move it to another port and go around it? Surely you'd tunnel that "old box that needs to stay alive" if that's the usecase? Is there anyone seriously running default telnet on 23 and is really affected by this filtering?

I do not know what is more critical: the risk of censorship or stand by while hospitals, banking, nuclear power plants and other systems become compromised and go down with people dying because of it. These decision makers not only have powers but also have a responsibility

This simply isn't happening, and we have the data to prove it: https://www.terracenetworks.com/blog/2026-02-11-telnet-routi...

Port 23 has been filtered by most providers for decades.

This is why everything converges on using TLS over 443 or a high port number. I don't see this as a huge deal, and especially not one deserving all caps rants about censorship. Save those for things like FOSTA/SESTA.

So basically the same as censorship because that is the exact same thing blocking ports does.

not to mention, filtering on udp vs tcp, which makes using anything else impossible. Not that I have one, but it's just a bit in a field, why filter on it?

I can connect with the GNU telnet client via the Spectrum ISP to servers in both Seattle and the Netherlands.

The more I work in software, the more amazed I am that anything works at all. There's likely so much low hanging fruit out there

I never sent root over telnet, but I spent too much vacation time browsing the web via lynx on my school AIX account from a library near my parents' home, because it had a telnet client in addition to the card catalogue program on the otherwise locked down desktop. It was just a more innocent time: you didn't assume your traffic was being logged six ways to Sunday. With telnet access to my AIX account, I could do all the internet things, like mail (pine) and the web (lynx) and irc, from a convenient command line anywhere in the world.

When did we all stop using telnet? I can't even remember. Most of my first 10-15 years was using telnet. One day I used telnet to connect to a shell for the last time and didn't know it. I had a ton of servers all with root telnet access Internet facing. Never hacked once, somehow. Those were the days.

It's hilarious, especially given that I have memories of similar rlogin vulnerabilities -- various unixes being vulnerable to rlogin -l '-froot' in the 90s.

Never used telnet to log in to something but it is a cool debugging tool, so used it for that. E.g. can this container even send traffic to that container at all.

netcat, socat and openssl s_client are all available for general manual connection testing.

As are many other tools. But the ones above are basically far better direct telnet alternatives.

I don’t remember how I did it but when I was about 12 years old I somehow managed to send SMS from Telnet to cell phones, and to the receiver they appeared to be sent by an official Telecom account - good that I was still an innocent child, had I discovered this a few years later I may have tried doing something nefarious with it.

None of this affects the use of telnet the client program nor the ability to run a telnetd on your own host (but do be sure it's patched!).

What's happened is that global routing on the internet (or big chunks of it, it's not really clear) has started blocking telnet's default port to protect presumably-unpatched/unpatchable dinosaur systems from automated attack. So you can no longer (probably) rely on getting to a SMTP server to deliver that spoofed email unless you can do it from its own local environment.

To watch Star Wars in ASCII.

telnet towel.blinkenlights.nl https://www.youtube.com/watch?v=Mhcf6tc2jeQ

(Remember hearing about this a long time ago (from some searching I think it was in 1999 via Slashdot) and verified some instance of it still exists/works.)

Telnet is used in legacy, IoT, embedded, and low-level industrial hardware. It's also intentionally enabled on devices where automation was written for telnet and it wasn't easy to switch to ssh.

If you investigate most commercial uses of ssh, the security is disabled or ignored. Nobody verifies host keys, and with automation where hosts cycle, you basically have to disable verification as there's no easy way around the host keys constantly changing. Without host key verification, there's kinda no point to the rest.

Even assuming the host keys were verified, the popular ssh conventions are to use either long-lived static keys (and almost nobody puts a password on theirs), or a password. Very few people use SSH with 2FA, and almost no-one uses ephemeral keys (OIDC) or certificates (which many people screw up).

So in terms of how people actually use it, SSH is one of the least secure transport methods. You'd be much more secure by using telnet over an HTTPS websocket with OAuth for login.

Hams use it over packet radio sometimes since encryption is forbidden on the amateur bands.

IMHO we need a good telnet replacement that sends signed data. Most people interpret signatures as allowed under FCC rules, just not encryption.

One? All the talkers still use it and all the MUDs/MOOs etc. far out number the talkers.

As I understand it, greynoise is monitoring scanner traffic, so yes this would all be scans or attacks

I run a DikuMUD that users connect to using Telnet

I really should update it to allow more secure options

One reason would be to play MUDs, which are very well and alive these days!

How else would I connect to my BBS to play L.O.R.D. and check FidoNet.

nethack.alt.org still maintains a telnet server!

telnet lambda.moo.mud.org 8888

Aardwolf works well from my work laptop. And I don’t care if someone sees what I’m doing

Probably one of the reasons this bug survived so long is that it isn't used much for priveleged access any more, but so you can play a moo or play you an ASCII movie, as people below you are replying.

Some of us still run historical systems for preservation's sake.

To play DOOM.

  telnet doom.w-graj.net 666

I just tried on a Zyxel Wifi AP I have.

It seems to use a different telnetd (busybox?), because from what I can tell it's not prone to this error.

Most MUDs do not use Telnet.

MUDs use plaintext TCP protocols that are accessible to a wide range of clients.

The Telnet protocol is well-defined and not completely plaintext. There are in-band signaling methods and negotiations. Telnet is defined to live on 23/tcp as an IANA well-known, privileged, reserved port.

MUDs do none of this. You can usually connect to a MUD using a Telnet client, but most players hate the experience and often deride this method in favor of a dedicated, programmable client.

The fact that MUDs inhabit higher 4-digit ports is an artifact from their beginnings as unprivileged, user-run servers without a standardized protocol or an assigned “well-known port” presence. If you want your MUD to be particularly inaccessible, you could certainly run on port 23 now!

It wasn’t clear from the article but I assumed they were filtering for the attack specifically.

Since Telnet is totally plain text that would absolutely be easy to do right?

It seems like they are doing a port based block similar to how residential lines often have their SMTP ports shut off.

That said in this day and age, servers on the public network really ought to use SSH.

>some dude is singlehandedly responsible

Well, one person to put up the PR and one dude to approve it - back in 2015. It isn't the security researcher's fault.

A very very long time ago as an intern I was working on a perl cgi script and I would often test it with telnet. I was used to messing around with hayes commands so manually typing in HTTP commands seemed like a natural extension of that.

I did this too, lol

Telnet's cleartext and always has been. A backdoor seems like overkill.

> backdoor

Do you mean that it's intentional? Why do you think so?

It wasn't a backdoor, just a very serious security bug. Congrats on jumping straight to conspiracy and paranoia, though.

From ChangeLog:

    * telnetd/utility.c (getterminaltype): Change the
      name `user_name' to `uname', as the former shadows a precious
     and global variable name.

Wouldn't attention to getenv() calls yield more benefit? Such calls are where input typically isn't parsed--because parsing is "hard"--becoming targets for exploit.

The present fix is to sanitize user input. Does it cover all cases?

Argument injection can happen in any programming language where you can concatenate strings and call something with the result.

It's also not DNS!

There's no UNIX requirement for telnet.

Ubuntu does not include it by default (starting 16.04?). Most most distros don't.

Thats what the mystery exceptions for the Open Group macOS UNIX certification was for!

There's always nc hostname 23 unless you need authentication

it was just ai written thats why.. unexpectedly so from greynoise.

Embedded? Ancient? What sort of systems are you telnetting into?

You passed '-f root' to login (a single long string). telnetd is likely passing '-f' 'root' to login (two arguments instead of one, whether this is because it creates two, or it uses the shell (which then reparses) I don't know).

But '-f' is a valid option to login (man login):

login [-p] [-h host] [-H] [-f username|username]

...

-f Used to skip a login authentication. This option is usually used by the getty(8) autologin feature.

FYI: it might be better to search by port:23

https://www.shodan.io/search?query=port%3A23

Or to filter by product:telnetd

https://www.shodan.io/search?query=product%3Atelnetd

A query of "telnet" searches Shodan for banners where the "data" property contains the string "telnet":

https://book.shodan.io/getting-started/query-syntax/

Oldschool telnetd didn’t actually run as root; rather, it just set up a PTY for the incoming socket to talk to, and then fork-exec’ed a /bin/login subprocess to live inside that pty. /bin/login is setuid-root, so it’s “where the security lived.”

I think we all collectively decided that that was a bad idea at some point — probably because /bin/login was never designed under the assumption that it would have to deal with arbitrary binary network traffic being thrown at it (it really only expects keyboard input.) So we switched to doing auth directly in our network daemons, since at least then “people who are aware the code is network-facing” would be maintaining it.

Literally how else is a remote login daemon supposed to work though?

What do you think proper architecture would be, given that ssh needs a capability to let root logins?

I suppose it could be via a proper PAM module, which is widely supported.

Too bad the first PAM RFC was published about the same time the first be version of ssh was released.

OpenSSH has been moving quite quickly in the direction of multiple, privilege separated processes, each also heavily sandboxed with pledge and unveil

  1. TELNET is an IETF-standard protocol defined by RFCs.
  2. Telnet is a well-known port assigned by the IANA (tcp/23).
  3. telnet is a client program, originated on Unix, available on many systems, and likely from a quite homogeneous codebase.
  4. telnetd is a server program, also originated on Unix for the purpose of implementing Telnet protocol as a login server. Also a homogeneous codebase or two.

TFA is about items 2 and 4, and 1/3 are completely unrelated.

IIRC, the only traffic that was monitored and detected here is the scanning. The vulnerability scanners that try and detect, for better or worse, what someone's running on port 23, fingerprint it, and figure out if it's a vulnerability.

Interestingly, filtering port 23 only mitigates the CVE by happenstance. It is merely by convention that telnetd runs on port 23, so that people can use it to log in remotely. There is no constraint that requires port 23. Any other service could usurp 23/tcp for itself if the admin decrees it. So, filtering port 23 is an effective mitigation for the defaults of someone running a vulnerable server on the standard port. But it is not a panacea, and it doesn't prevent anyone from using the telnetd server, or the telnet client, except for port 23.

But it also prevents you from offering any service on port 23/tcp, lest it be filtered. You wouldn't want to run a web server, sshd, a MUD, or anything else, because your connectivity would be negatively impacted for this reason. (The common experience is that a lot of Windows SMB/NetBIOS ports are blocked, and SMTP and port 80, on a lot of consumer ISPs, although this is contrasting the ISP situation to Tier-1 transit carriers now.)

...except that port 23 seems to now be filtered across the internet at large, leading to a huge drop-off in telnet traffic over the course of days if not hours. I think it's safe to say that even if you patch telnetd, being able to use telnet over the internet is not possible in many places (including Canada, according to the data).

You might wanna use netcat for that instead [1]. Or, for example, socat [2]. Netcat has been around for a long, long time now.

[1] nc (1) - arbitrary TCP and UDP connections and listens

[2] socat (1) - Multipurpose relay (SOcket CAT)

That's not really telnet. Yeah, it's using the same client, but the server and underlying protocol are what's relevant here.

The modern replacement for telnet used in the "probe a port" fashion is nc/netcat.

Your dial up ever die when you where checking your email? My ISP didn't allow for leave copy on server, I remember times I lost emails to this.

Personally, I found the spoof song in the middle of very dry writing to be jarring. But I didn't think it sounded AI written.

What stood out as AI written? It felt like a well-written article by an SME to me.

Okay, it is really weird. This was not an exploit difficult to pull off, or discover. It is such an elementary error that any script kiddie could have leveraged it anywhere, once it was understood.

Is there proof or evidence that it was never exploited in all of 10 years and remained as a latent zero-day?

The only saving grace I would propose, is that since telnetd has been aggressively deprecated once ssh became popular, and encryption became ubiquitous, and remote exploits became commonplace, and Starbucks WiFi was routinely surveilled, that telnetd simply wasn't running anywhere, anymore.

We have commenters saying that embedded systems and IoT used telnet servers. But were they running an actual GNU telnetd or just a management interface that answered on port 23/tcp? Commenters are citing statistics of "open port 23", but that means nothing in terms of this CVE, if it ain't GNU telnetd. Cisco has literally always used port 23 for management. Other routers and network devices use port 23 without telnetd.

How popular was GNU telnetd to be running on a system and exposed to the Internet? This article pertains to all the port-scanners running everywhere, so surely someone with a Shodan account can make a survey and tell us: who was still exposing GNU telnetd in 2026?

Someone attempted to compromise my home router last week using CHARGEN. Can you imagine!

The difference between "telnet" the program and "telnet" the protocol is especially important in this discussion, I think.

A more "proper" tool for that is netcat -- I doubt SMTP supports the Telnet option negotiations subsystem. (I also doubt SMTP servers can interpret the full suite of Network Virtual Terminal (NVT) commands that the Telnet protocol supports.) There's clearly enough similarity between the two protocols that if you're just using it to transfer plaintext it will probably work out fine, but they are distinct protocols.

I used telnet(1) as a generic TCP text client for many years before switching to GNU/BSD netcat. Nowadays, netcat is more prominent then telnet, and telnet had its corner cases with control characters.

Never heard about https://jetmore.org/john/code/swaks/, thanks for the tip.

You want nc (usually with -v) or socat. telnet is muscle memory for a lot of people (myself included sometimes) but it's a strictly inferior choice these days for poking arbitrary plaintext services.

I discovered swaks recently, god I love that tool

I think it would be better suited to use the terms we use for natural languages. A natural language is dead when the last person who learned it as first language dies and are extinct when there is noone that would speak it at all.

In these terms, telnet has been dead for a long while, but it's extinct now.

Stop spamming AI slop