The Day the Telnet Died: A Backbone-Level Security Response We Weren’t Supposed to See
On January 14, 2026, global telnet traffic collapsed by 83% in two hours. Six days later, a critical vulnerability was publicly disclosed. The timing probably isn’t coincidental.
The Core Insight
GreyNoise’s Global Observation Grid captured something extraordinary: a step-function drop in telnet sessions worldwide. Not a gradual decline. Not scanner attrition. A single-hour transition from ~74,000 sessions to ~22,000, bottoming at ~11,000 within two hours.
Eighteen ASNs with significant telnet volume went to absolute zero. Five entire countries—Zimbabwe, Ukraine, Canada, Poland, and Egypt—vanished from telnet traffic data. Meanwhile, AWS traffic increased 78%.
The pattern points to one conclusion: a major North American Tier-1 transit provider implemented port 23 filtering on backbone infrastructure.
The CVE Connection
Six days after the traffic collapse, CVE-2026-24061 was disclosed—a CVSS 9.8 authentication bypass in GNU Inetutils telnetd. By sending -f root as a username, attackers get a root shell without credentials. The vulnerable code had sat undiscovered since 2015.
GreyNoise’s hypothesis: advance notification of the vulnerability reached parties with infrastructure-level response capability. Someone implemented port 23 filtering before public disclosure to protect vulnerable systems that might never be patched.
Why This Matters
Infrastructure-Level Security Response: If GreyNoise’s analysis is correct, we’re witnessing coordinated security response at the backbone level—filtering traffic before vulnerabilities are even public. This is unprecedented transparency into how serious vulns might be handled behind closed doors.
The Cloud Exception: AWS, DigitalOcean, and other cloud providers were largely unaffected because they use private peering that bypasses transit backbone paths. This creates a two-tier internet: cloud-native services continuing normally while residential and enterprise ISPs take the security hit.
Telnet’s Final Chapter: The filtering appears to be permanent. We’re now operating at roughly one-third of pre-drop baseline. A protocol that’s been slowly dying for decades may have just received its death certificate from infrastructure operators who decided it simply isn’t worth carrying anymore.
The Technical Forensics
The timing (21:00 UTC / 16:00 EST) matches US maintenance windows. The countries most affected rely on transatlantic or transpacific backbone routes. France and Germany, with strong direct European peering, were unaffected.
Chinese backbone providers (China Telecom, China Unicom) dropped uniformly by 59%—suggesting the filter sits on the US side of transpacific links, not within China. Asymmetric Chinese impact would indicate a Great Firewall action.
Key Takeaways
- Backbone operators can implement protocol-level filtering faster than patch cycles
- The gap between advance notification and public disclosure may include infrastructure-level mitigations
- Cloud providers’ private peering creates security asymmetry with traditional ISPs
- Telnet traffic may never recover—and that’s probably appropriate
Looking Ahead
If you’re running GNU Inetutils telnetd anywhere—embedded systems, network appliances, legacy Linux—patch to 2.7-2 or disable the service. CISA’s remediation deadline for federal agencies is February 16, 2026.
More broadly, this incident suggests the security community has more coordinated infrastructure-response capability than previously visible. The next critical protocol vulnerability might be filtered at backbone level before you even hear about it.
For network operators: if you haven’t filtered port 23 at your border, you’re behind the curve. Someone upstream has already decided your telnet traffic isn’t worth transiting.
Based on analysis of “2026-01-14: The Day the telnet Died” – GreyNoise Labs