Are you KIDDING me?
That is completely unacceptable for a security system.
Telnet is running, meaning the system can be remotely controlled via the internet. You refuse to allow the owner of the system to either stop Telnet or change the login credentials.
This is a security hole of epic proportions. Thieves must love this. They can remotely disable the NVR before they even get on-site.