Rule Information
Tags
pythontelnettelnetlibplaintextremote-accessCWE-319OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-064 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
telnetlib.Telnet() implements the Telnet protocol, a legacy remote terminal protocol that transmits all data including usernames, passwords, commands, and command output in plaintext over TCP. Telnet was deprecated in Python 3.11 and removed in Python 3.13 due to its security problems.
Any credentials used to authenticate to a Telnet service are transmitted in plaintext and can be captured by any observer on the network. Commands executed via Telnet and their output are also visible, potentially exposing sensitive system information.
SSH is the universally accepted secure replacement for Telnet. Python's paramiko library provides a complete SSH client implementation that supports password and key-based authentication, command execution, SFTP, and port forwarding.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Plaintext Credential Transmission
Telnet login username and password are transmitted in plaintext, one character at a time due to Telnet's character-mode protocol. An attacker observing the TCP stream can reassemble and read the complete credentials.
2
Session Hijacking
The entire Telnet session (commands and output) is transmitted in plaintext. An attacker who can intercept the TCP stream can inject arbitrary commands into the session, capturing or modifying the remote system state.
3
Network Infrastructure Attack
Routers, switches, and embedded devices that expose Telnet management interfaces are particularly vulnerable. Python scripts automating network device management via Telnet expose device credentials and configuration to network observers.
4
Deprecated API with Removal Risk
telnetlib was deprecated in Python 3.11 and removed in Python 3.13. Code using telnetlib will fail on Python 3.13+ and must be migrated regardless of the security concern.
How to Fix
Recommended remediation steps
- 1Replace telnetlib with paramiko for SSH-based remote command execution on Linux/Unix systems.
- 2For network device automation (Cisco, Juniper, etc.), use netmiko or NAPALM which use SSH instead of Telnet.
- 3Use SSH key-based authentication instead of password-based authentication when connecting to remote systems.
- 4Disable Telnet on all managed network devices and require SSH-only access.
- 5Migrate any telnetlib-dependent code before upgrading to Python 3.13, where telnetlib has been removed.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to telnetlib.Telnet() constructor and related telnetlib usage in Python source code. All call sites are flagged since Telnet inherently transmits all data in plaintext and is deprecated/removed in modern Python versions.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 2.2.7 - All non-console administrative access encrypted using strong cryptography; Telnet explicitly prohibited
OWASP Top 10
A02:2021 - Cryptographic Failures
NIST SP 800-52 Revision 2
Only approved encrypted protocols permitted for administrative access
DISA STIG
V-72221: Telnet must not be used for interactive login by authorized users
References
External resources and documentation
Similar Rules
Explore related security rules for Python
MEDIUM
FTP Without TLS (ftplib.FTP)
ftplib.FTP() transmits data and credentials in plaintext. Use ftplib.FTP_TLS() or SFTP (via paramiko) for secure file transfer.
HIGH
Paramiko Implicit Host Key Trust (AutoAddPolicy)
paramiko.AutoAddPolicy() and WarningPolicy() automatically accept unknown SSH host keys, enabling man-in-the-middle attacks on SSH connections.
MEDIUM
Paramiko exec_command() Usage
paramiko exec_command() runs commands on a remote host. Audit that command arguments are not derived from untrusted input to prevent command injection.
Frequently Asked Questions
Common questions about telnetlib Usage Detected
telnetlib was deprecated in Python 3.11 (released October 2022) with a planned removal.
It was removed in Python 3.13 (released October 2024). Code using telnetlib must be
migrated before upgrading to Python 3.13 or later.
Legacy network infrastructure, some industrial control systems (ICS/OT), and certain
embedded devices may still expose only Telnet management interfaces. These represent
legacy integration requirements, not good practice. In all such cases, use a dedicated
VPN or SSH tunnel to isolate and encrypt Telnet traffic, and plan migration to SSH.
paramiko provides SSH (Secure Shell) which is the secure successor to Telnet. SSH
encrypts all traffic, supports key-based authentication, provides host key verification
to prevent MITM, and supports SFTP, port forwarding, and X11 forwarding. paramiko
implements the full SSH protocol in pure Python with optional C acceleration.
netmiko is a Python library built on paramiko that simplifies SSH connections to
network devices (Cisco IOS, Juniper JunOS, Arista EOS, etc.). It handles device-
specific command modes, paging, and prompt detection. Use netmiko instead of
telnetlib for all network device automation tasks.
If a device only supports Telnet, use a dedicated terminal server or out-of-band
management device that accepts SSH and proxies to the device via Telnet over a
physically secured local network. This protects credentials on the network-accessible
portion while acknowledging the local Telnet limitation.
This rule detects telnetlib.Telnet() usage. Custom Telnet implementations using
raw sockets have the same security risks but would be detected by other rules
(PYTHON-LANG-SEC-070 for socket bind, PYTHON-LANG-SEC-014 for reverse shell patterns).
Manual review of any code implementing Telnet-like protocols is recommended.
New feature
Get these findings posted directly on your GitHub pull requests
The telnetlib Usage Detected rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.