GNU telnetd Flaw Grants Root Access Before Login Prompt

A critical vulnerability in GNU InetUtils telnetd allows unauthenticated attackers to execute arbitrary code as root before the login prompt even appears. The flaw, tracked as CVE-2026-32746, carries a CVSS score of 9.8 and affects all versions of the Telnet service implementation through 2.7.

Israeli cybersecurity firm Dream discovered and reported the vulnerability on March 11, 2026. No patch is currently available, with a fix expected by April 1.

How the Attack Works

The vulnerability exists in the LINEMODE Set Local Characters (SLC) suboption handler during the initial Telnet connection handshake. According to Dream's disclosure, an out-of-bounds write in this handler triggers a buffer overflow that enables code execution.

An unauthenticated attacker can trigger the flaw by connecting to port 23 and sending a crafted SLC suboption containing many triplets. The critical detail: exploitation occurs during protocol negotiation, before any authentication takes place.

If telnetd runs with elevated privileges—which it commonly does on legacy systems—the attacker gains immediate root access.

Scale of Exposure

Internet scans reveal over 200,000 devices currently running Telnet servers globally, with approximately one million devices listening on the default Telnet port 23. While Telnet has largely been deprecated in favor of SSH, the protocol remains prevalent across embedded systems, network appliances, and operational technology infrastructure.

Organizations in manufacturing, utilities, and healthcare often maintain legacy equipment where Telnet is the only remote management option. These environments face the highest risk.

This follows a pattern we've seen repeatedly with legacy protocols. The Wing FTP Server vulnerability added to CISA's KEV last week similarly affected systems that organizations often forget about until they're compromised.

Connection to CVE-2026-24061

CVE-2026-32746 is actually the second critical GNU InetUtils telnetd vulnerability disclosed this year. The first, CVE-2026-24061, is an authentication bypass that allows attackers to gain root access by manipulating the USER environment variable.

With CVE-2026-24061, an attacker sets USER to "-f root" during the Telnet session. When telnetd constructs the login command, it becomes /usr/bin/login -h [hostname] "-f root". The -f flag tells login to skip authentication entirely. CISA has already added that vulnerability to its Known Exploited Vulnerabilities catalog due to active exploitation by threat actors including a group tracked as 'rwxrwx'.

The combination of two critical, unpatched vulnerabilities in the same service creates compounding risk for any organization still running Telnet.

Mitigations

With no patch available for CVE-2026-32746, organizations should take immediate defensive action:

1. Disable telnetd entirely if the service isn't strictly required for operations
2. Block port 23 at both network perimeter and host-based firewalls
3. Run telnetd without root privileges where feasible to limit the impact of successful exploitation
4. Isolate Telnet access to trusted, segmented networks only
5. Migrate to SSH as the long-term solution for remote management

For OT environments where Telnet cannot be disabled, network segmentation becomes essential. The CISA BOD 26-02 guidance on edge device security applies directly to this situation—unmanaged legacy services represent exactly the risk that directive aims to address.

Why This Matters

Telnet vulnerabilities might seem like relics of a bygone era, but attackers actively scan for these services precisely because defenders often overlook them. The presence of active exploitation for CVE-2026-24061 demonstrates that threat actors haven't forgotten about Telnet.

Organizations should treat this as an opportunity to audit their environment for legacy protocols. Beyond Telnet, services like FTP, rsh, and rlogin present similar risks and often coexist on the same aging infrastructure.

The window between disclosure and patch availability—roughly three weeks in this case—is when attackers move fastest. Proof-of-concept code typically appears within days, and the straightforward nature of this vulnerability makes weaponization trivial.

For enterprises running OT or embedded systems, coordinate with vendors immediately to understand your exposure. Many network appliances bundle GNU InetUtils, and the telnetd component may be enabled by default in ways that aren't obvious from the management interface.

The Signal-K boat server CVE-2025-66398 vulnerability we covered earlier shows how these legacy protocol issues extend into IoT—anywhere you have remote management on older systems, assume Telnet might be present until proven otherwise.