Israeli cybersecurity firm Dream has disclosed a critical unpatched vulnerability in GNU InetUtils telnetd that allows a completely unauthenticated remote attacker to execute arbitrary code with root privileges via port 23 — before a login prompt even appears. Tracked as CVE-2026-32746 with a CVSS score of 9.8, the vulnerability affects all versions of the GNU telnetd implementation through version 2.7. No patch exists as of disclosure. A fix is expected no later than April 1, 2026. This is the second critical CVSS 9.8 flaw in GNU InetUtils telnetd disclosed in less than two months — the previous vulnerability, CVE-2026-24061, has already been added to CISA's Known Exploited Vulnerabilities catalog and is confirmed actively exploited in the wild.
Affected products
- ·GNU InetUtils telnetd — all versions through 2.7
- ·Linux distributions shipping GNU InetUtils telnetd including Debian, Ubuntu, SUSE, and others
- ·Embedded devices, network appliances, routers, and IoT devices running GNU InetUtils telnetd
- ·Industrial control systems and OT-adjacent infrastructure with Telnet enabled
- ·Any server running telnetd under inetd or xinetd with port 23 exposed
How to Fix
Step-by-step remediation
The primary mitigation in the absence of a patch is simple and should be executed immediately on any affected system — disable telnetd and block port 23. On systemd-based Linux systems, run sudo systemctl stop telnetd && sudo systemctl disable telnetd to stop and prevent the service from restarting. At the firewall level, block inbound connections to port 23 at both the network perimeter and the host firewall. On Ubuntu systems with ufw, run sudo ufw deny 23. For systems where Telnet cannot be immediately disabled due to operational dependencies — legacy equipment management interfaces, industrial systems, or compatibility requirements — run telnetd without root privileges as an interim measure. This limits the impact of a successful exploit from full system compromise to a lower privilege context. Telnet should not exist on any modern network as a remote access protocol regardless of this specific CVE. It transmits all data including usernames and passwords in plaintext and has been superseded by SSH for over two decades. If your operational reason for running Telnet is remote device management, every modern network device supports SSH — migrating off Telnet entirely is the correct long-term response. Monitor your network for any connection attempts to port 23 from external addresses while waiting for the official patch. The GNU InetUtils patch is expected by April 1, 2026 and should be treated as an emergency update and applied immediately upon release.
What happened
CVE-2026-32746 is a buffer overflow vulnerability in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd. The SLC mechanism is part of the Telnet protocol's option negotiation process — the handshake that occurs when a client first connects to a Telnet server to agree on terminal settings and capabilities. This negotiation happens before any authentication takes place. The flaw is an out-of-bounds write — when the server processes a specially crafted SLC suboption message containing a large number of triplets, it writes data beyond the boundaries of an allocated memory buffer. This memory corruption can be used to overwrite adjacent memory regions, corrupt control flow data, and ultimately redirect execution to attacker-controlled code. Because telnetd typically runs as root under inetd or xinetd — the daemons responsible for managing network services on Linux — a successful exploit does not just compromise the telnetd process. It hands the attacker a root shell on the target system with no credentials, no user interaction, and no prior access required. The entire attack is triggered by a single TCP connection to port 23 carrying a malformed handshake message.
Real-World Impact
The attack surface for CVE-2026-32746 is larger than most organisations realise. According to Censys, approximately one million devices globally are listening on port 23, with Shodan data indicating over 212,000 devices actively running a Telnet server. Not all of these use the vulnerable GNU InetUtils implementation, but the number of potentially exposed systems is substantial. The affected population extends well beyond traditional Linux servers. GNU InetUtils telnetd is found in embedded devices, network appliances, industrial control systems, OT-adjacent infrastructure, and IoT devices where legacy protocol support is retained for compatibility with older management interfaces. Many of these devices run with default configurations, rarely receive firmware updates, and are frequently internet-exposed. The timing of this disclosure alongside active exploitation of the nearly identical CVE-2026-24061 significantly elevates the urgency. Attackers who are already working on GNU telnetd exploits for CVE-2026-24061 have the technical groundwork to adapt their tools to CVE-2026-32746 rapidly — particularly because no patch yet exists and the technical details of the vulnerability are publicly available.
Technical Details
🛡️ Prevention Tips
CVE-2026-32746 is a textbook case of legacy protocol risk. Telnet was designed in 1969 for a trusted network environment that no longer exists. It has no encryption, no certificate-based authentication, and no modern security properties whatsoever. The only reason CVE-2026-32746 and CVE-2026-24061 are having impact in 2026 is that Telnet remains enabled on systems where it was never properly decommissioned. The prevention is not a patch — it is removal. Security teams conducting asset inventory should specifically audit for port 23 exposure as part of their attack surface management process. Network scanners and vulnerability management platforms should flag any open port 23 as a critical finding regardless of whether a specific CVE is in scope. For organisations managing embedded devices and industrial systems where Telnet cannot be immediately removed, network segmentation and strict firewall rules limiting port 23 access to specific trusted management IPs are the minimum acceptable interim controls.
FAQs
How do I check if my system is running telnetd?
Run ss -tlnp | grep :23 or netstat -tlnp | grep :23 in your terminal. If you see a process listening on port 23, telnetd is active. You can also run systemctl status telnetd on systemd-based systems. If the output shows "active (running)" — disable it immediately with sudo systemctl stop telnetd && sudo systemctl disable telnetd.
Is there a patch available right now?
No. As of March 18, 2026, there is no official patch for CVE-2026-32746. GNU InetUtils has acknowledged the issue and a fix is expected no later than April 1, 2026. Until then, the only mitigation is disabling telnetd and blocking port 23 at the firewall level.
Is this being actively exploited right now?
No confirmed active exploitation of CVE-2026-32746 has been reported as of disclosure. However, the previous GNU InetUtils telnetd vulnerability CVE-2026-24061 — disclosed less than two months ago with the same CVSS 9.8 score — is confirmed actively exploited and listed in CISA's Known Exploited Vulnerabilities catalog. Attackers already targeting GNU telnetd are well positioned to adapt to this new flaw quickly, especially with no patch available.
Read Next
wordpress · cms
Critical WordPress Authentication Bypass Lets Attackers Take Over Any Site — Patch Now
cve 2026 21992 · oracle
CVE-2026-21992: Oracle Issues Emergency Patch for Critical Unauthenticated RCE in Identity Manager and Web Services Manager
cve 2026 3888 · ubuntu
CVE-2026-3888: Ubuntu Default Installation Flaw Lets Unprivileged Attackers Escalate to Root via systemd Cleanup Timing
cve 2026 3055 · cve 2026 4368
CVE-2026-3055: Citrix NetScaler Critical Flaw Leaks Sensitive Memory — Patch Immediately Before Exploitation Begins
php webshell · cookie controlled