Despite the availability of secure alternatives and recent critical vulnerabilities, the Telnet protocol remains widely used in the Asia-Pacific region. Data indicates that consumer-grade routers and IoT devices continue to rely on this legacy technology, presenting a sustained risk to organizational security.
Global patterns suggest a shift in how internet backbone providers are managing this traffic. On Jan. 14, global Telnet traffic decreased by approximately 83% over a three-hour period, dropping from 65,000 sessions per hour to 11,000. Data provided by threat intelligence firm GreyNoise suggests this sharp decline resulted from backbone providers curtailing specific traffic types. However, this reduction was less pronounced in the Asia-Pacific region, indicating that local network providers may have applied different filtering policies.
Bob Rudis, Vice President of Data Science at GreyNoise, notes that while nations such as Ukraine and Canada saw complete blocks on Telnet traffic, filtering in the Asia-Pacific region was variable. Taiwan blocked 77% of Telnet sessions, India 70%, Japan 65%, and China 59%.
The prevalence of legacy infrastructure contributes to this variance. While many enterprise environments have deprecated Telnet, it remains common in small-business networks and consumer IoT devices, such as cameras. Because these devices often function without immediate operational issues, there is little financial incentive for owners to replace them, leaving a significant volume of unmanaged devices online.
Data from the Shadowserver Foundation, a nonprofit threat intelligence provider, corroborates this regional concentration. Shadowserver estimates there are 839,000 active internet addresses globally with accessible Telnet devices. Approximately 410,000 of these—nearly half—are located in the Asia-Pacific region.
Regional Traffic Analysis
Scanning traffic originating from Asia-Pacific addresses shows distinct geographic patterns. More than half of this activity originates from Chinese IP address space, followed by India (14%) and South Korea (12%). The majority of this traffic (55%) consists of login attempts, while approximately 10% involves generic password attempts targeting IoT devices.
The security community recently focused on Telnet due to an authentication bypass vulnerability in the GNU InetUtils Telnet server (CVE-2026-24061). This flaw was added to the Known Exploited Vulnerabilities (KEV) Catalog following its public disclosure on Jan. 20. Rudis suggests that knowledge of the vulnerability likely existed prior to the public disclosure, prompting major ISPs to implement protective filtering measures proactively.
Shadowserver also adjusted its detection methodology to gain a clearer view of the situation. By broadening detection to include less common Telnet ports, the organization observed a spike in activity around Jan. 20, followed by a decrease as filtering improved. Piotr Kijewski, CEO of the Shadowserver Foundation, notes that while the number of exposed Telnet devices has declined from 1.3 million to 1.2 million over six months, the pace of reduction remains slow.
"Telnet is an unnecessary exposure and has long been replaced by other forms of remote terminal access, especially SSH," Kijewski states. He advises that the protocol should be fully retired including public-facing infrastructure.
Infrastructure Congestion and Unintended Protections
The reaction of network operators to broader internet traffic trends appears and have had a secondary, positive effect on security.
The global drop in Telnet traffic may not be solely due to security policy, but rather a response to infrastructure congestion. Rudis explains that aggressive web scraping by AI companies has caused significant load on routers and backbone infrastructure. To maintain service reliability, providers have implemented stricter traffic management rules to identify and block automated high-volume traffic.
"The networks were facing significant congestion," Rudis notes. "In response, operators adjusted how routers handle specific scenarios. If traffic exceeds a certain threshold within a set timeframe, the connection is terminated and resets are sent for a duration of three to four hours."
Because the traffic patterns of web scrapers can resemble the flooding behavior of botnets scanning for open Telnet ports, measures designed to mitigate scraping have inadvertently reduced malicious scanning activity as well. While this does not replace the need for patching and device management, it provides a layer of interference against unauthorized scanning.
The result is a cleaner network environment, even if the primary driver was operational stability rather than vulnerability management. This shift in infrastructure behavior offers a temporary buffer, but organizations must still prioritize the removal of Telnet services to ensure long-term security.