Sudden Telnet Traffic Drop. Are Telcos Filtering Ports to Block Critical Vulnerability?

Source: Slashdot

Report Overview

An anonymous reader shared this report from The Register:

Telcos likely received advance warning about January’s critical Telnet vulnerability before its public disclosure, according to threat‑intelligence firm GreyNoise. Global Telnet traffic “fell off a cliff” on January 14, six days before security advisories for CVE‑2026‑24061 went public on January 20. The flaw, a decade‑old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root‑access exploitation.

GreyNoise data shows Telnet sessions dropped 65 % within one hour on January 14, then 83 % within two hours. Daily sessions fell from an average 914,000 (December 1 – January 14) to around 373,000, a 59 % decrease that persists today.

“That kind of step function — propagating within a single‑hour window — reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations,” said GreyNoise’s Bob Rudis and “Orbie,” in a recent blog post.

The researchers’ unverified theory is that infrastructure operators may have received information about the make‑me‑root flaw before advisories went to the masses.

Key Findings

• 18 operators, including BT, Cox Communications, and Vultr, went from hundreds of thousands of Telnet sessions to zero by January 15.
• The pattern points to one or more Tier 1 transit providers in North America implementing port 23 filtering.
• US residential ISP Telnet traffic dropped within the US maintenance‑window hours, and the same occurred for traffic relying on transatlantic or transpacific backbone routes, while European peering was relatively unaffected.