Telcos Allegedly Received Advance Warning on Critical Telnet Vulnerability, Traffic Plummets Days Before Public Disclosure

In a startling revelation that has sent shockwaves through the cybersecurity community, threat intelligence firm GreyNoise has uncovered evidence suggesting that major telecommunications providers may have received advance warning about a critical Telnet vulnerability before its public disclosure. The implications of this discovery could reshape how the industry views vulnerability disclosure practices and raise serious questions about fairness and security.

The Vulnerability: A Decade-Old Bug with Devastating Potential

The vulnerability in question, CVE-2026-24061, represents a critical flaw in the GNU InetUtils telnetd component that has lurked undetected for over a decade. With a CVSS score of 9.8 out of 10, this represents one of the most severe security flaws imaginable. The vulnerability allows attackers to achieve root-level access with minimal effort, effectively giving them complete control over affected systems.

What makes this particularly concerning is that Telnet, while largely deprecated in modern networking, remains active in numerous embedded systems, industrial control environments, and legacy infrastructure. These systems often lack the resources or support to migrate to more secure alternatives like SSH, making them prime targets for exploitation.

The Suspicious Traffic Drop: A Digital Smoking Gun

GreyNoise’s investigation revealed something extraordinary: global Telnet traffic experienced a dramatic and sudden decline on January 14, 2026—exactly six days before the vulnerability was officially disclosed to the public on January 20. This timing discrepancy has raised eyebrows across the cybersecurity landscape.

The data shows an almost unprecedented pattern. Telnet sessions dropped by 65 percent within a single hour on January 14, then plummeted by 83 percent within two hours. To put this in perspective, daily Telnet sessions fell from an average of 914,000 between December 1 and January 14 to approximately 373,000 sessions—a staggering 59 percent decrease that has persisted to this day.

Bob Rudis, a researcher at GreyNoise, noted the unusual nature of this pattern: “That kind of step function—propagating within a single hour window—reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations.” This observation suggests that the traffic drop wasn’t the result of organic changes in user behavior or scanning patterns, but rather deliberate action taken at the infrastructure level.

The Scale of the Shutdown: Major Players Go Dark

The scope of the Telnet shutdown is equally remarkable. Eighteen major operators, including telecommunications giants like BT, Cox Communications, and cloud infrastructure provider Vultr, went from handling hundreds of thousands of Telnet sessions to zero within a 24-hour period. This coordinated shutdown affected some of the largest players in the internet infrastructure space.

All evidence points to one or more Tier 1 transit providers in North America implementing port 23 filtering—the port traditionally used for Telnet traffic. The pattern of the shutdown reveals fascinating geographical nuances. US residential ISP Telnet traffic dropped precisely during US maintenance window hours, while similar drops occurred at providers relying on transatlantic or transpacific backbone routes. Interestingly, European peering points were relatively unaffected, suggesting a geographically targeted intervention.

The “Make-Me-Root” Flaw: Understanding the Threat

The vulnerability has been dubbed the “make-me-root” flaw due to its ability to grant attackers root-level privileges with minimal effort. This type of vulnerability is particularly dangerous because root access provides complete control over a system, allowing attackers to install malware, steal data, create backdoors, or use the compromised system as a launchpad for further attacks.

For embedded systems and industrial control systems that still rely on Telnet for management, this vulnerability represents an existential threat. Many of these systems cannot be easily patched or updated, and some may have been designed with the assumption that Telnet traffic would remain relatively secure due to its obscurity.

The Disclosure Timeline: What We Know

The official disclosure timeline shows that security advisories for CVE-2026-24061 went public on January 20, 2026. However, the dramatic drop in Telnet traffic six days earlier on January 14 suggests that someone had advance knowledge of the vulnerability and took action to mitigate the risk before the public was even aware of the threat.

This timeline discrepancy has led to intense speculation about who might have had access to this information and how it was distributed. The fact that major telcos and infrastructure providers were able to coordinate such a significant response within hours of receiving the information suggests a well-organized and efficient communication channel.

Industry Implications: Fairness and Security in the Balance

The potential for selective disclosure raises serious ethical questions about the vulnerability disclosure process. If major infrastructure providers did indeed receive advance warning, this creates an uneven playing field where well-resourced organizations can protect themselves while smaller entities remain vulnerable.

This situation highlights the ongoing tension between the need for rapid disclosure to protect the broader internet community and the desire to give critical infrastructure providers time to prepare for potential attacks. The challenge lies in finding a balance that protects everyone without creating privileged classes of defenders.

The Broader Context: Telnet’s Persistence in Modern Networks

The fact that Telnet remains so widely used, despite being deprecated for decades, underscores the challenges of modernizing legacy infrastructure. Many embedded systems, industrial controllers, and specialized network devices continue to rely on Telnet for management due to hardware limitations, software compatibility issues, or simply because they’ve been operating reliably for years without incident.

This persistence of outdated protocols creates a persistent security challenge. While the broader IT community has moved on to more secure alternatives, these legacy systems remain vulnerable to attacks that exploit decades-old vulnerabilities. The “make-me-root” flaw serves as a stark reminder that old vulnerabilities never truly die—they simply wait for the right conditions to become relevant again.

Looking Forward: Lessons and Recommendations

This incident provides several important lessons for the cybersecurity community. First, it demonstrates the importance of monitoring network traffic patterns as an early warning system for emerging threats. The sudden drop in Telnet traffic was a clear indicator that something significant was happening, even before the vulnerability was publicly disclosed.

Second, it highlights the need for more robust and equitable vulnerability disclosure processes. If selective disclosure did occur, it represents a failure of the current system to protect all internet users equally. Moving forward, the industry may need to reconsider how advance warnings are distributed and whether additional safeguards are needed to prevent unfair advantages.

Finally, this incident serves as a wake-up call for organizations still running Telnet services. The dramatic response from major providers shows just how seriously the industry takes this type of vulnerability, and organizations that haven’t yet migrated to more secure alternatives should consider doing so immediately.

The Investigation Continues

As the cybersecurity community continues to investigate this incident, many questions remain unanswered. Who had advance knowledge of the vulnerability? How was this information distributed? Were proper protocols followed in the disclosure process? And most importantly, what can be done to prevent similar situations in the future?

GreyNoise and other threat intelligence firms continue to monitor the situation closely, and additional details may emerge as the investigation progresses. What’s clear is that this incident has exposed significant vulnerabilities in the current vulnerability disclosure ecosystem and may lead to substantial changes in how critical security information is shared in the future.

For now, the dramatic drop in Telnet traffic serves as a reminder of the constant cat-and-mouse game between attackers and defenders in the cybersecurity landscape. As new vulnerabilities are discovered and disclosed, the race to patch and protect systems becomes increasingly urgent—and increasingly complex.

Tags

Telnet vulnerability, CVE-2026-24061, GreyNoise, cybersecurity disclosure, make-me-root flaw, network infrastructure, port 23 filtering, legacy systems security, vulnerability timeline, telco security, GNU InetUtils, CVSS 9.8, advance warning, internet backbone, threat intelligence

Viral Sentences

Telcos got the memo before you did – Telnet traffic crashes 59% days before public vulnerability disclosure
The “make-me-root” flaw that could own your systems with one command
Major ISPs went from millions of Telnet sessions to zero overnight
Was this selective disclosure or just good timing? The internet wants to know
A decade-old bug with CVSS 9.8 score – when old vulnerabilities come back to haunt us
Telnet isn’t dead – and that’s terrifying for cybersecurity
The hour that changed everything: How Telnet traffic plummeted in 60 minutes
Tier 1 providers pulled the plug – but who told them to?
European networks safe while US goes dark – geographical targeting revealed
The vulnerability disclosure process under fire as questions mount
Legacy systems beware: Your Telnet service might be your weakest link
When infrastructure providers get advance warnings and you don’t
The digital smoking gun: Traffic patterns that tell a bigger story
Cybersecurity’s open secret: Some get protected while others remain exposed
From obscurity to critical: How a forgotten protocol became a major threat

,