Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <a0bbb9af-7714-4be8-ba9d-3525088e7c53@ehuk.net>
Date: Wed, 25 Feb 2026 00:34:29 +0000
From: Eddie Chapman <eddie@...k.net>
To: Justin Swartz <justin.swartz@...ingedge.co.za>
Cc: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>,
 kf503bla@...k.com, bug-inetutils@....org, ron.benyizhak@...ebreach.com,
 simon@...efsson.org, auerswal@...x-ag.uni-kl.de
Subject: Re: Telnetd Vulnerability Report

On 25/02/2026 00:22, Justin Swartz wrote:
> On 2026-02-25 01:18, Eddie Chapman wrote:
>> On 24/02/2026 20:33, Solar Designer wrote:
>>> On Tue, Feb 24, 2026 at 05:05:58AM -0500, kf503bla@...k.com wrote:
>>>> Who uses telnet anyway? It's deprecated. Everyone uses ssh for any 
>>>> kind of remote access.
>>>
>>> Indeed.  Yet:
>>>
>>> Quite many people surely do still use a telnet client to access various
>>> older/smaller devices
>>
>> Yes. I would hazard a guess that the largest cohort of devices running 
>> a telnet server are enterprise switches, gateways & routers. So many 
>> times over the years I've been surprised to find a switch I'm 
>> configuring has a telnet as well as the obligatory http(s) server 
>> available for the admin to login via.
>>
>> Albeit to a lesser extent these days, and more likely BusyBox telnetd 
>> than InetUtils. But switches are one of the most likely pieces of kit 
>> to be forgotten about and left running for 10+ years in a closet 
>> without a firmware update. There are a LOT of old switches running out 
>> there.
> 
> There're also serial port concentrators, programmable automation 
> controllers, remote telemetry units, protocol gateways, data 
> aggregators, and PXI/LXI instrumentation out there that run some of 
> telnet daemon - and you can be sure that it's not always busybox's 
> telnetd implementation.

Well, every cloud has a silver lining ... for some of these devices, 
this vulnerability, together with other ones, just might make it 
possible for owners to completely replace that cesspit of a firmware 
with an OSS one that can be updated :-) (if they have lots of time and 
patience!)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.