Telnet’s long-acknowledged security weaknesses have now materialized into something concrete: a pre-authentication, root-level remote code execution flaw sitting in one of the protocol’s most widely deployed daemon implementations.
Cybersecurity firm Dream disclosed CVE-2026-32746 on March 11, 2026, assigning it a CVSS score of 9.8 out of 10.0. The flaw exists in the GNU InetUtils telnet daemon (telnetd) and affects all versions of the implementation through 2.7. According to the announcement, a patch is expected no later than April 1, 2026.
The vulnerability is an out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler, triggered during the Telnet protocol option negotiation phase. Because this phase occurs before any login prompt appears, no credentials, user interaction, or privileged network position are required to exploit it. A single connection to port 23 is sufficient.
Dream security researcher Adiel Sol described the mechanics directly: “An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets. No login is required; the bug is hit during option negotiation, before the login prompt. The overflow corrupts memory and can be turned into arbitrary writes. In practice, this can lead to remote code execution. Because telnetd usually runs as root (e.g., under inetd or xinetd), a successful exploit would give the attacker full control of the system.”
Successful exploitation opens a compromised host to persistent backdoor deployment, data exfiltration, and lateral movement using the host as a pivot point.
Scope and Prior Context
The disclosure arrives approximately two months after a separate critical flaw in GNU InetUtils telnetd, CVE-2026-24061 (also CVSS 9.8), was identified and has since seen active exploitation in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency. Attack surface management platform Censys recorded roughly 3,362 exposed hosts as of March 18, 2026.
More Read
A follow-up analysis by watchTowr Labs researchers McCaulay Hudson and Aliz Hammond extended the picture considerably. The vulnerable code appears across FreeBSD, NetBSD, Citrix NetScaler, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD. The researchers also identified CVE-2005-0469 as a structurally similar flaw on the client side. Their analysis notes that while reliable remote code execution is difficult and environment-specific, memory corruption, pointer leaks, and arbitrary writes are achievable in a range of configurations. The precise impact varies because the underlying code has been reused and modified across legacy and embedded platforms, leaving the full exposure difficult to quantify.
“The most striking thing about this vulnerability is its sheer reach,” Hudson and Hammond wrote. “A good portion of the huge number of systems running some kind of Telnet server includes this vulnerable code.”
Mitigations Before a Patch Arrives
Pending the fix, Dream recommends disabling telnetd entirely where the service is not necessary, running it without root privileges where it is required, blocking port 23 at both the network perimeter and host-based firewall level, and isolating any Telnet access that must remain operational.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
