On January 14, 2026, global telnet traffic plummeted 65% in one hour, dropping from 914,000 to 22,460 sessions. This step-function collapse, observed by GreyNoise, wasn’t gradual but structural, affecting 18 ASNs including Vultr (382K sessions pre-drop), Cox Communications (150K), and Charter/Spectrum (141K). By January 15, five countries — Zimbabwe, Ukraine, Canada, Poland, and Egypt — vanished from telnet data entirely.

The timing coincided with CVE-2026-24061, a critical (CVSS 9.8) authentication bypass in GNU Inetutils telnetd allowing unauthenticated root access. However, the six-day gap between the traffic drop and CVE disclosure suggests a possible link: researchers reported the flaw on January 19, prompting Tier 1 transit providers — likely US-based — to implement port 23 filtering. This filtered traffic from residential ISPs like Verizon (79% drop) while cloud providers (AWS +78%) remained unaffected, hinting at infrastructure-level mitigation.

Post-drop, telnet activity shows recurring spikes and troughs, implying intermittent filtering or routing adjustments. Countries reliant on transatlantic/transpacific backbones suffered most, while Europe’s direct-peering networks (France +18%, Germany -1%) remained stable. The sustained 59% traffic reduction persists as of February 10, raising questions about coordinated responses to legacy protocol risks.

This event underscores the fragility of outdated protocols in modern infrastructure. While the CVE exploited telnet’s vulnerabilities, the abrupt traffic collapse points to proactive filtering — a rare case where security measures may have preceded public vulnerability disclosure. The interplay between network architecture and threat response remains a critical area for investigation.