Critical Unpatched Telnetd Vulnerability (CVE-2026-32746) Allows Unauthenticated Root Access via Port 23
A significant security vulnerability has been identified in the GNU InetUtils telnet daemon (telnetd), posing a severe risk to systems utilizing this service. Designated as CVE-2026-32746, this flaw has been assigned a critical CVSS score of 9.8 out of 10, indicating its high severity.
Technical Details:
The vulnerability stems from an out-of-bounds write error within the LINEMODE Set Local Characters (SLC) suboption handler of telnetd. This flaw leads to a buffer overflow, which can be exploited by remote attackers to execute arbitrary code with root privileges. Notably, this exploitation can occur without any authentication, making it particularly dangerous.
Discovery and Reporting:
Israeli cybersecurity firm Dream discovered and reported this vulnerability on March 11, 2026. Their analysis indicates that all versions of telnetd up to and including 2.7 are affected. A patch to address this issue is anticipated by April 1, 2026.
Exploitation Mechanism:
An attacker can exploit this vulnerability by sending a specially crafted message during the initial Telnet connection handshake, even before the login prompt appears. This means that a single network connection to port 23 is sufficient to trigger the flaw, without requiring any credentials or user interaction. The SLC handler processes option negotiations during the Telnet protocol handshake. Due to the flaw being exploitable before authentication, attackers can send malicious protocol messages immediately after establishing a connection.
Potential Impact:
If telnetd operates with root privileges, successful exploitation could lead to complete system compromise. This would allow attackers to perform various malicious activities, including deploying persistent backdoors, exfiltrating sensitive data, and moving laterally within the network by using the compromised host as a pivot point.
Mitigation Recommendations:
Until a patch is available, it is strongly recommended to:
– Disable Telnet Service: If the Telnet service is not essential, disable it to eliminate the risk.
– Restrict Access: Block port 23 at both network perimeter and host-based firewalls to prevent unauthorized access.
– Limit Privileges: If Telnet must be used, configure telnetd to run with the least privileges necessary, avoiding root where possible.
– Network Segmentation: Isolate systems running Telnet to minimize potential lateral movement by attackers.
Historical Context:
This disclosure follows a similar critical vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, reported two months prior, which also allowed unauthenticated attackers to gain root access. That vulnerability has been actively exploited in the wild, as noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Conclusion:
The discovery of CVE-2026-32746 underscores the critical need for organizations to assess and secure their network services, especially those exposed to the internet. Prompt action to mitigate this vulnerability is essential to protect systems from potential exploitation.
