Researchers warn of unpatched, critical Telnetd flaw affecting all versions

CVE-2026-32746 is a critical flaw in GNU InetUtils telnetd that allows remote attackers to execute code with elevated privileges

Cybersecurity company Dream disclosed a critical flaw, tracked as CVE-2026-32746 (CVSS score of 9.8), in GNU InetUtils telnetd that lets unauthenticated remote attackers execute code with elevated privileges. The issue stems from an out-of-bounds write in the LINEMODE handler, causing a buffer overflow.

The flaw affects all versions up to 2.7. A patch is expected by April 1, 2026, and users are urged to update as soon as it becomes available.

GNU InetUtils telnetd is a server component of GNU InetUtils that provides remote login access via the Telnet protocol. It allows users to connect to a system over a network and run commands remotely, though it’s largely outdated and insecure compared to modern alternatives like SSH.

“Dream Security uncovered a new buffer overflow vulnerability (CVE-2026-32746) in the GNU Inetutils telnetd daemon, specifically in the code that handles LINEMODE SLC (Set Local Characters) option negotiation.” reads the report published by Dream Security. “An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears. Successful exploitation can result in remote code execution as root. An initial report was sent to the GNU Inetutils security team following the discovery.”

The experts warn of the trivial exploitation of this issue, which can lead to complete system compromise.

Any system running vulnerable GNU Inetutils telnetd is affected, including Linux distributions, IoT devices, and legacy OT/ICS environments using Telnet. The flaw can be triggered remotely during the initial connection by sending a crafted request, requiring no authentication or user interaction, making exploitation straightforward and highly dangerous.

“Because  telnetd  typically runs as root (via  inetd  or  xinetd ), successful exploitation yields complete host compromise, including but not limited to:

• Arbitrary remote code execution as root
• Persistent backdoor installation
• Sensitive data exfiltration
• Use of the host as a pivot point for further network intrusion

A single network connection to port 23 is sufficient to trigger the vulnerability. No credentials, no user interaction, and no special network position are required.” continues the advisory.

Experts recommend disabling Telnet services until a fix is available. To mitigate risk, block port 23, restrict access, and avoid running it as root. Enable network-level logging, packet capture, and IDS monitoring to detect exploitation attempts, and store logs centrally.

Dream researchers warn that, despite being outdated and insecure, Telnet is still widely used in ICS/OT and government systems with legacy infrastructure, where upgrades are costly or impractical, making these environments especially vulnerable to severe real-world impacts.

In January 2026, security researcher Kyu Neushwaistein (aka Carlos Cortes Alvarez) reported another critical vulnerability, tracked as CVE-2026-24061 (CVSS score of 9.8), in the GNU InetUtils telnet daemon (telnetd) that impacts all versions from 1.9.3 to 2.7.

The vulnerability can be exploited to gain root access on affected systems. The vulnerability was introduced as part of a source code commit made on March 19, 2015. The flaw remained undiscovered for nearly 11 years, posing long-standing security risks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GNU InetUtils telnetd)