Back to News
News

Critical Telnetd Flaw CVE-2026-32746 Enables Unauthenticated Root RCE

CyberSecurityWaala 1 week ago Mar 18, 2026
Critical Telnetd Flaw CVE-2026-32746 Enables Unauthenticated Root RCE

Security researchers disclosed a critical bug in the GNU InetUtils telnet daemon. The flaw could let an unauthenticated attacker run code as root. The issue is tracked as CVE-2026-32746 and carries a CVSS score of 9.8 out of 10.

What happened

Israeli cybersecurity company Dream found the vulnerability and reported it on March 11, 2026. Dream said the bug affects all versions of the Telnet implementation through 2.7. A patch is expected no later than April 1, 2026, Dream added.

Technically speaking, the problem is an out of bounds write in the LINEMODE Set Local Characters SLC suboption handler. That leads to a buffer overflow and can be turned into arbitrary memory writes. In short, an attacker can corrupt memory and then execute code on the server.

How it can be exploited

The vulnerability can be triggered during the initial telnet handshake. Dream warned, “An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake before any login prompt appears.”

Dream researcher Adiel Sol explained the attack path in plain terms. “An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets,” Sol said. “No login is required; the bug is hit during option negotiation, before the login prompt.”

That means a single network connection to port 23 is enough. No credentials are needed. No user interaction is required. Telnetd commonly runs as root under inetd or xinetd, so successful exploitation would give full system control.

Why this matters

Full root control opens many doors. Administrators could face persistent backdoors, stolen data, or attackers using the host as a pivot point to reach other systems. The impact is severe because telnet is an old protocol and often runs with high privileges.

This disclosure arrives after a recent, similar incident. A prior critical telnetd flaw, CVE-2026-24061, also scored 9.8 and was later seen being exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency said.

What to do now

Until a patch is available, Dream and other experts recommend several actions. Disable Telnet if you do not need it. If Telnet is required, run telnetd without root privileges where possible. Block port 23 at the network perimeter and on host firewalls. Isolate any systems that must offer Telnet access.

Finally, plan to apply the vendor patch as soon as it is released and monitor vendor advisories closely. Administrators should also watch for signs of exploitation and review logs for unexpected connections to port 23.

#Security #Vulnerability #Telnet #CVE_2026_32746 #Infosec