Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE
Ravie LakshmananMar 18, 2026Vulnerability / Data Protection
Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution.
Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7. A fix for the vulnerability is expected to be available no later than April 1, 2026.
"An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears," Dream said in an alert. "Successful exploitation can result in remote code execution as root."
"A single network connection to port 23 is sufficient to trigger the vulnerability. No credentials, no user interaction, and no special network position are required."
The SLC handler, per Dream, processes option negotiation during the Telnet protocol handshake. But given that the flaw can be triggered before authentication, an attacker can weaponize it immediately after establishing a connection by sending specially crafted protocol messages.
Successful exploitation could result in complete system compromise if telnetd runs with root privileges. This, in turn, could open the door to various post-exploitation actions, including the deployment of persistent backdoors, data exfiltration, and lateral movement by using the compromised hosts as pivot points.
"An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets," according to Dream security researcher Adiel Sol.
"No login is required; the bug is hit during option negotiation, before the login prompt. The overflow corrupts memory and can be turned into arbitrary writes. In practice, this can lead to remote code execution. Because telnetd usually runs as root (e.g., under inetd or xinetd), a successful exploit would give the attacker full control of the system."
In the absence of a fix, it's advised to disable the service if it's not necessary, run telnetd without root privileges where required, block port 23 at the network perimeter and host-based firewall level to restrict access, and isolate Telnet access.
The disclosure comes nearly two months after another critical security flaw was disclosed in GNU InetUtils telnetd (CVE-2026-24061, CVSS score: 9.8) that could be leveraged to gain root access to a target system. The vulnerability has since come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency.
Update
Data from attack surface management platform Censys shows that there are about 3,362 exposed hosts as of March 18, 2026.
In a follow-up analysis, watchTowr Labs said the vulnerability affects a wide range of software, including FreeBSD, NetBSD, Citrix NetScaler, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD. The cybersecurity company also described CVE-2005-0469 as CVE-2026-32746's doppelgänger, but on the client side.
The analysis has also revealed that while reliable remote code execution is difficult and environment-specific, the vulnerability can facilitate memory corruption, pointer leaks, and arbitrary writes in some cases. That said, the exact impact remains unclear, as the underlying code has been reused and modified across various platforms, particularly legacy and embedded environments.
"The most striking thing about this vulnerability is its sheer reach," researchers McCaulay Hudson and Aliz Hammond said. "A good portion of the huge number of systems running some kind of Telnet server includes this vulnerable code."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
cybersecurity, data protection, linux, network security, Open Source, remote code execution, system security, Threat Intelligence, Vulnerability
Trending News
ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories
54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security
Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks
Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams
TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks
TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation
New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data
FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks
Load More ▼
Popular Resources
[Guide] Learn How to Govern AI Agents With Proven Market Guidance
[Demo] Discover SaaS Risks and Monitor Every App in Your Environment
SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats
Detect AI-Driven Threats Faster With Full Network Visibility