Re: Telnetd Vulnerability Report

[Eddie Chapman <eddie () ehuk net>]

On 25/02/2026 00:22, Justin Swartz wrote:
> On 2026-02-25 01:18, Eddie Chapman wrote:
> > On 24/02/2026 20:33, Solar Designer wrote:
> > > On Tue, Feb 24, 2026 at 05:05:58AM -0500, kf503bla () duck com wrote:
> > > > Who uses telnet anyway? It's deprecated. Everyone uses ssh for any 
> > > > kind of remote access.
> > >
> > > Indeed.  Yet:
> > >
> > > Quite many people surely do still use a telnet client to access various
> > > older/smaller devices
> >
> > Yes. I would hazard a guess that the largest cohort of devices running 
> > a telnet server are enterprise switches, gateways & routers. So many 
> > times over the years I've been surprised to find a switch I'm 
> > configuring has a telnet as well as the obligatory http(s) server 
> > available for the admin to login via.
> >
> > Albeit to a lesser extent these days, and more likely BusyBox telnetd 
> > than InetUtils. But switches are one of the most likely pieces of kit 
> > to be forgotten about and left running for 10+ years in a closet 
> > without a firmware update. There are a LOT of old switches running out 
> > there.
>
> There're also serial port concentrators, programmable automation 
> controllers, remote telemetry units, protocol gateways, data 
> aggregators, and PXI/LXI instrumentation out there that run some of 
> telnet daemon - and you can be sure that it's not always busybox's 
> telnetd implementation.

Well, every cloud has a silver lining ... for some of these devices, 
this vulnerability, together with other ones, just might make it 
possible for owners to completely replace that cesspit of a firmware 
with an OSS one that can be updated :-) (if they have lots of time and 
patience!)