Mass Telnet Exploitation Underway as Hackers Target Hundreds of Thousands of Internet-Exposed Systems

Aegiron 11 mins0

Open-Source Attacks – Active Telnet Exploitation Campaign

Date Observed: February 5, 2026

Overview

A large-scale, active exploitation campaign is currently targeting internet-exposed Telnet services using a critical authentication bypass vulnerability identified as CVE-2026-24061. The flaw allows unauthenticated remote attackers to gain root-level access to affected systems without valid credentials. Current scanning activity indicates that hundreds of thousands of Telnet servers remain publicly reachable, many of which are vulnerable.

Attackers are exploiting this exposure opportunistically and at scale. Successful exploitation is immediately followed by attempts to deploy Python-based malware, perform system reconnaissance, and establish persistence. The activity is automated, fast, and indiscriminate, impacting legacy servers, embedded systems, network appliances, and industrial devices.

This is an active threat event, not a theoretical or historical issue.

Vulnerability Details

CVE-2026-24061 affects certain Telnet server implementations derived from older open-source Telnet daemon code. The vulnerability exists in how the Telnet service processes user-supplied environment variables during the authentication phase.

By sending a specially crafted Telnet session initiation request, an attacker can manipulate internal login handling logic and bypass authentication checks entirely. In successful cases, the Telnet daemon spawns a shell with root or equivalent administrative privileges.

Key characteristics of the vulnerability:

  • Remote exploitation over TCP port 23
  • No authentication required
  • No user interaction required
  • Results in full system compromise
  • Reliable and scriptable exploitation

From an attacker’s perspective, this is equivalent to an exposed root shell on the internet.

Affected Systems

Systems at risk include, but are not limited to:

  • Legacy Linux and Unix servers
  • Embedded Linux devices
  • IoT hardware
  • Network appliances
  • Industrial control and operational technology systems
  • Systems using outdated or vendor-modified Telnet daemons

Many affected devices are unmanaged, unpatched, or no longer supported. In several cases, Telnet was enabled for debugging or maintenance and never disabled.

Attack Lifecycle

Initial Discovery and Targeting

Attackers conduct continuous internet-wide scanning for systems with TCP port 23 open. Any responsive Telnet service is immediately probed for vulnerability. This scanning is highly automated and distributed.

Exploitation

Once a vulnerable service is identified, the attacker sends a crafted Telnet request that triggers the authentication bypass. If successful, the attacker receives an interactive shell without providing credentials.

No brute force or credential guessing is involved.

Post-Exploitation Reconnaissance

Immediately after gaining access, attackers typically execute a small set of commands to understand the environment. Common actions include:

  • Identifying system architecture
  • Checking OS version and kernel
  • Locating writable directories
  • Verifying availability of interpreters such as Python
  • Checking outbound network connectivity

These steps determine whether the system is useful for persistence or secondary payload deployment.

Malware Deployment

Attackers attempt to deploy Python-based malware using one or more of the following methods:

  • Direct download using curl or wget
  • Echoing encoded payloads into files
  • Executing Python code inline
  • Attempting multiple directories until a writable location is found

In some environments, payload execution fails due to missing interpreters or restricted filesystems. In others, malware successfully executes and establishes persistence.

Persistence and Cleanup

On systems where deployment succeeds, attackers may:

  • Create cron jobs
  • Modify startup scripts
  • Add SSH keys
  • Replace system binaries
  • Clear shell history and logs

Persistence mechanisms vary depending on system capabilities.

Malware Characteristics

The malware observed in this campaign is lightweight and modular.

Common traits include:

  • Written in Python for portability
  • Designed to fetch additional payloads
  • Establishes outbound connections to remote command servers
  • Periodically beacons for instructions
  • Attempts to evade detection by renaming processes
  • Kills competing malware processes if detected

The malware is not targeted to a single industry or geography. Its primary goal appears to be mass compromise and infrastructure expansion.

Impact and Risk Assessment

Any successfully exploited system should be considered fully compromised.

Potential impacts include:

  • Complete loss of system integrity
  • Data theft or manipulation
  • Use of the system as a botnet node
  • Lateral movement within internal networks
  • Abuse of trusted infrastructure for further attacks
  • Service disruption or device instability

For embedded or industrial systems, compromise may lead to operational failures that are difficult to detect or diagnose.

Indicators of Compromise

Network Indicators

  • Inbound Telnet connections from unfamiliar or geographically unusual IP addresses
  • Repeated short-lived Telnet sessions
  • Unexpected outbound connections from devices that normally do not initiate external traffic
  • Outbound connections on high or uncommon TCP ports

Host-Based Indicators

  • New or unexpected Python processes
  • Python executing from temporary or unusual directories
  • Files created in locations such as:
    • /tmp/
    • /var/tmp/
    • /dev/shm/
    • /run/
  • Cron jobs or scheduled tasks not previously present
  • Modified startup scripts
  • Unexpected user accounts or SSH keys
  • Missing or altered log files

Command Indicators

Common commands seen during exploitation and setup include:

  • uname -a
  • id
  • whoami
  • cat /etc/os-release
  • which python
  • python -c
  • curl
  • wget
  • chmod +x
  • crontab -l

Detection Logic

Network Detection

Monitor for inbound Telnet connections from the internet. Any external Telnet access should be treated as suspicious by default.

Flag Telnet sessions that:

  • Do not include a normal authentication exchange
  • Immediately execute system commands
  • Terminate quickly after command execution

Inspect outbound traffic from Telnet-enabled systems for:

  • Unexpected external IP connections
  • Repeated beaconing behavior
  • Connections initiated shortly after Telnet access

Host-Based Detection

Alert on:

  • Python execution on systems where Python is not normally used
  • Python running from non-standard paths
  • Creation of executable files in temporary directories
  • Modification of cron jobs or startup files
  • Sudden changes in file permissions or ownership

Correlate events where Telnet access is followed by process creation within seconds.

Behavioral Correlation

High-confidence compromise indicators include:

  • Telnet login followed by root-level command execution without authentication
  • Telnet access followed immediately by Python execution
  • Telnet access followed by outbound network connections

Recommended Response Actions

Immediate Actions

  • Disable Telnet services on all systems where it is not strictly required
  • Block TCP port 23 at network boundaries
  • Remove internet exposure for management interfaces
  • Isolate any system suspected of compromise

Incident Response

For exposed systems:

  • Assume compromise even if no malware is found
  • Preserve logs and memory where possible
  • Rebuild systems rather than attempting cleanup
  • Rotate credentials and keys
  • Review internal network access from affected hosts

Long-Term Mitigation

  • Replace Telnet with secure alternatives
  • Conduct full asset discovery to identify legacy services
  • Implement continuous exposure monitoring
  • Segment management networks
  • Decommission unsupported devices

Final Takeaway

This campaign is exploiting a perfect storm of legacy technology, poor visibility, and internet exposure. The vulnerability is trivial to exploit, highly reliable, and devastating in impact.

Any system running Telnet and reachable from the internet should be considered actively at risk. In many cases, compromise may already have occurred without detection.

This is not an edge case. This is a widespread, ongoing attack surface that attackers are actively harvesting.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.