Telnetd Flaw Lets Attackers Get Root Before Login Prompt

A critical vulnerability in the GNU InetUtils telnetd implementation allows unauthenticated attackers to execute arbitrary code with root privileges—before the login prompt even appears. The flaw, tracked as CVE-2026-32746, carries a CVSS score of 9.8 and affects a surprisingly wide range of systems still running Telnet services.

Israeli cybersecurity firm Dream discovered and reported the vulnerability on March 11, 2026. The patch was expected to land by April 1, but organizations running affected systems should take immediate defensive action.

What Makes This Flaw So Dangerous

The vulnerability exists in the LINEMODE Set Local Characters (SLC) suboption handler. An out-of-bounds write in this handler triggers a buffer overflow, giving attackers a direct path to code execution. The attack requires nothing more than a network connection to port 23—no credentials, no authentication, no user interaction.

Because telnetd typically runs as root, successful exploitation grants attackers complete control over the target system. The attack happens during the initial connection handshake, meaning defenders have no opportunity to detect malicious login attempts.

Affected Systems

The flaw impacts GNU InetUtils telnetd through version 2.7, but the ripple effects extend far beyond Linux distributions. According to Dream's disclosure, affected software includes:

• FreeBSD and NetBSD
• Citrix NetScaler (concerning given recent NetScaler exploitation we covered)
• TrueNAS Core
• Haiku OS
• DragonFlyBSD
• uCLinux
• libmtev

Censys identified approximately 3,362 exposed hosts as of March 18. That number likely understates the true exposure, since many Telnet services sit behind corporate firewalls or on internal networks.

Why Telnet Still Exists

Security teams have been trying to kill Telnet for decades. The protocol transmits everything in plaintext, including credentials. SSH solved this problem in 1995. Yet Telnet persists in legacy environments, embedded systems, and network equipment that predates modern security practices.

The reality is messier than "just disable Telnet." Industrial control systems, older networking gear, and certain mainframe environments still depend on it. For organizations that can't immediately migrate away, this vulnerability creates an urgent problem.

Recommended Mitigations

Until patches are available and deployed:

1. Disable telnetd entirely if your environment doesn't require it
2. Block port 23 at your network perimeter and internal firewalls
3. Run telnetd without root privileges if you must keep it running (reduces blast radius)
4. Isolate Telnet access to specific network segments with strict access controls
5. Monitor for exploitation attempts targeting port 23

Organizations running Citrix NetScaler should pay particular attention. NetScaler has been under heavy attack this year, and adding an unauthenticated RCE to the mix creates serious risk. We've seen multiple critical Citrix vulnerabilities exploited in rapid succession.

The Broader Lesson

This vulnerability highlights a persistent blind spot in enterprise security. Legacy protocols get forgotten until someone finds a way to weaponize them. Telnet services might not show up on modern asset inventories, but they're still running on equipment deployed years ago.

Security teams should treat this as a reminder to audit their environments for legacy services. If you haven't looked for Telnet recently, now is the time. The 3,362 exposed hosts Censys found represent the tip of the iceberg—the ones visible from the internet. Internal exposure is likely orders of magnitude larger.

For those managing infrastructure with Telnet dependencies, this is also an opportunity to push for migration. A CVSS 9.8 vulnerability requiring zero authentication tends to focus executive attention on technical debt.

What to Watch For

The patch timeline puts pressure on both GNU maintainers and downstream vendors. FreeBSD, NetBSD, and other affected projects need to integrate fixes and push updates to users. Citrix NetScaler customers should monitor for emergency patches.

Given the severity and the trivial exploitation requirements, proof-of-concept code will likely appear soon. Organizations with exposed Telnet services have a narrow window to harden their defenses before opportunistic scanning begins.

The security community has been saying "disable Telnet" for 30 years. This vulnerability demonstrates why that advice matters—and what happens when it goes unheeded.