Are You Still Using Telnet? Cyberattackers Are

Ymir Vigfusson

July 8, 2025

Remember Telnet?! Well, Telnet never left. It still runs on old printers, legacy PLCs, and embedded equipment that no one dares to patch. Most security teams overlook it because no one installs it anymore and it’s protected by network segmentation. But it’s still wired into firmware, reachable over flat networks, and potentially wide open for attack.

Attackers scan for Telnet because it gives them what they want: direct shell access, cleartext credentials, and no logging. Most defenders miss it because their tools ignore it. Telnet creates blind spots that no EDR or VPN policy can close. You can’t patch it. You can’t remove it. But with Keystrike, you can limit attackers' reach, so you prevent lateral movement with this classic network protocol.

Why Telnet Is Still Alive

Telnet should have died with the modem. No encryption. No authentication hardening. No modern protections of any kind. But it keeps showing up in environments where no one expects it. Not because people choose it today, but because it never got removed.

Think about the printers you never upgraded, the building control systems nobody patches, or the router someone installed ten years ago and left running. If it’s old, embedded, or labeled “critical infrastructure,” there’s a good chance it still allows Telnet.

Now, combine that with one flawed assumption that’s haunted OT and legacy IT designs for decades: isolation. These systems were built under the belief that they’d stay air-gapped forever. But remote access crept in. Supply chain software was installed. Dashboards were built. Covid required more and deeper remote access than ever before. And suddenly, your “offline” box is routable.

That’s how Telnet becomes an attack vector.

What Makes Telnet a Perfect Target

Attackers don’t break what they can walk through. Telnet lets them walk. Let’s break down what makes Telnet a goldmine for lateral movement:

Weakness Description
Unencrypted Sessions Credentials and commands are passed in plaintext. Anyone watching the wire sees everything.
Hardcoded Credentials Devices ship with “admin/admin.” Many stay that way for years.
No Session Integrity No validation of who’s typing. Remote commands look identical to human input.
Low Visibility SIEMs, NDRs, and EDRs often don’t inspect Telnet sessions.

And once they’re in? Attackers act fast. It’s quiet. No exploits. Just credentials and misconfigurations.

The Hard Problem: You Can’t Just Kill Telnet

You know Telnet is insecure. So why not remove it? Because in many environments, you can’t. 

Here’s why:

Constraint Impact
Legacy firmware Devices can’t be upgraded without risking bricking them.
Critical workloads Devices can’t be rebooted or touched without operational risk.
Cost barriers Replacing hardware costs millions and months of downtime.
OT ownership IT doesn’t control the gear. OT does and often lacks the security mandate.

Most defenders default to segmentation, VPNs, and jump hosts. But segmentation fails as configurations drift. VPNs get misused. And attackers use the same jump hosts to hop across systems.

That’s where Keystrike enters the picture.

How Keystrike Locks Down Legacy Protocols

Keystrike doesn’t care what protocol you’re using, Telnet, SSH, RDP, or something proprietary. It verifies how commands are created, not what protocol they’re using.

It works upstream of the session, at the physical input level. Every keystroke and mouse movement gets cryptographically signed by trusted hardware. No signature? No command execution. Even if an attacker steals credentials, opens a session, and runs commands, they’ll get blocked.

Because the session didn’t originate from a physically present human. This flips the entire threat model.

Telnet Exploit Without Keystrike

Telnet, unprotected

Telnet Flow With Keystrike Enforced

Telnet, protected with Keystrike

Keystrike doesn’t patch Telnet. We protect access by ensuring that only physical input leads to command execution.

Where You Deploy Keystrike (And Why It Works)

You don’t need to put Keystrike on the legacy device. Instead, you deploy it on the access path: jump boxes, bastion hosts, and management terminals. That’s where attackers move and an ideal chokepoint where you can cut them off.

Here’s a typical use case:

  • A technician connects to a PLC via Telnet through a jump server.
  • The jump server runs Keystrike.
  • Keystrike verifies that the technician is physically present.
  • If malware tries to use the same session later? Keystrike blocks it because it sees no signed human input.

This works in industrial controls, legacy infrastructure, and remote access gateways without changing the devices or network paths. You preserve uptime and gain integrity.

Why This Changes Everything

Traditional security relies on detecting known bad signatures, behaviors, and anomalies. But attackers have adapted. They use legitimate tools and valid credentials. Telnet’s just one example, but also an exploitable one that is often forgotten.

Keystrike moves the boundary by verifying the legitimacy of the interaction before the system executes a single byte.

Attack Type Keystrike Response
Credential replay Blocked (no physical signal)
Remote malware Blocked (no signed input)
SSH or Telnet hijack Blocked unless the session is live and human-driven
Scripted automation Blocked unless typed in real-time by a verified user

This applies whether you’re using Telnet or any other session-based tool.

What to Do Now

If you're securing an environment with legacy systems, and let’s be honest, most of us are, you can't just assume those systems are invisible. You need to assume attackers can find them. 

Keystrike gives you a way to control the session, not just the access. It enforces real human presence at the point of input. It stops hijacking, lateral movement, and stealthy automation even on protocols as insecure as Telnet.

Real Security Means Knowing What You Can’t See

You didn’t create the legacy. You inherited it. Every unpatchable PLC, every forgotten badge system, every exposed Telnet port that’s technical debt dropped on your lap with no budget, no time, and no vendor support. And yet, when attackers get in through one of those cracks, it’s your name in the incident report.

Keystrike gives you leverage. Not by asking you to rip and replace, but by letting you lock down what you already have. It stops attacker automation cold. It validates human presence before the command ever hits the wire. It makes unfixable systems safe to use.

Because sometimes, the only thing standing between legacy access and lateral compromise is whether the keystrokes came from a real keyboard.

Deploy Keystrike in 20 Minutes

Try Keystrike in Your Environment for 30 Days