Critical Unpatched Telnetd Vulnerability (CVE-2026-32746) Exposes Systems to Remote Code Execution
A significant security vulnerability has been identified in the GNU InetUtils telnet daemon (telnetd), posing a severe risk to systems worldwide. This flaw, designated as CVE-2026-32746, has been assigned a CVSS score of 9.8 out of 10, indicating its critical nature. The vulnerability stems from an out-of-bounds write error within the LINEMODE Set Local Characters (SLC) suboption handler, leading to a buffer overflow that can be exploited for remote code execution.
Discovery and Impact
The Israeli cybersecurity firm Dream uncovered this vulnerability and reported it on March 11, 2026. Their analysis reveals that all versions of telnetd up to and including 2.7 are susceptible. An unauthenticated attacker can exploit this flaw by sending a specially crafted message during the initial connection handshake, even before the login prompt appears. This means that a single network connection to port 23 is sufficient to trigger the vulnerability, without the need for credentials, user interaction, or a specific network position.
The SLC handler is responsible for processing option negotiations during the Telnet protocol handshake. Due to the flaw’s presence in this early stage, attackers can exploit it immediately upon establishing a connection by sending malicious protocol messages. If telnetd operates with root privileges, successful exploitation could grant attackers full control over the affected system. This level of access enables various malicious activities, including deploying persistent backdoors, exfiltrating sensitive data, and moving laterally within the network by using the compromised host as a pivot point.
Mitigation Measures
In the absence of an official patch, it is crucial to implement the following mitigation strategies to protect vulnerable systems:
1. Disable Telnet Service: If the Telnet service is not essential, it should be disabled to eliminate the risk associated with this vulnerability.
2. Operate Telnetd with Limited Privileges: For systems where Telnet is necessary, configure telnetd to run without root privileges to minimize potential damage from exploitation.
3. Restrict Network Access: Block port 23 at both the network perimeter and host-based firewalls to prevent unauthorized access to the Telnet service.
4. Isolate Telnet Access: Ensure that Telnet access is isolated and only available to trusted users and systems, reducing the attack surface.
Previous Vulnerabilities and Ongoing Threats
This disclosure follows a similar critical vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, reported two months prior, which also allowed attackers to gain root access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has noted active exploitation of that flaw in the wild, underscoring the persistent threats associated with unpatched Telnet services.
Conclusion
The discovery of CVE-2026-32746 highlights the ongoing security challenges posed by legacy protocols like Telnet. Organizations must prioritize the decommissioning of such outdated services in favor of more secure alternatives. In scenarios where Telnet remains in use, implementing robust security measures and staying vigilant for updates is imperative to safeguard systems against potential exploits.
