The flaw exists in all Cisco Web Security, Email Security, and Content Security Management Appliances (in other words most IronPort based products) if Telnet is enabled. In the Web Security appliance this protocol is turned off after the setup wizard is completed so the exposure there is limited.
For other appliances the concern is real, although any competent security professional is going to shut down access through telnet, just because it is an insecure protocol anyway. For those of you interested, the original flaw found back in 2011 was related to the way that Telnet handled encryption keys. Due to a lack of boundary checks someone could gain access without proper authentication. However even going back to 1999 Telnet was being phased out because it was not able to properly be secured even if you were using encryption. It has been succeeded by SSH (Secure Shell).
It is sort of comical that Cisco, who talks up their security practices and products would continue working with such a vulnerable protocol and that it is still an option to communicate with these devices. Then again, we are seeing this as a common trend in the industry considering the recent SSL v3.0 bug and a few others that are here simply because people do not want to move away from the older methods to the new… it is as funny as it is sad.
Tell us what you think