Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthorized Root RCE via Port 23
Cybersecurity researchers have disclosed a critical security flaw affecting the GNU InetUtils telnet daemon (telnetd) that could be used by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
Vulnerability, followed by CVE-2026-32746it holds a CVSS score of 9.8 out of 10.0. Described as an out-of-bounds issue in the LINEMODE Set Local Character Handler (SLC) that leads to a buffer overflow, ultimately paving the way for code execution.
Israeli cybersecurity company Dream, which discovered and reported the bug on March 11, 2026, said it affects all versions of the Telnet service implementation in 2.7. A fix for the vulnerability is expected to be available before April 1, 2026.
“An unauthorized remote attacker could exploit this by sending a specially crafted message during the initial handshake – before any login notification appears,” Dream said in a warning. “A successful exploit can lead to remote code execution as root.”
“A single network connection to port 23 is enough to trigger the vulnerability. No credentials, no user interaction, and no special network position are required.”
The SLC manager, on a per-dream basis, considers the negotiation option during the Telnet protocol handshake. But given that the bug can be activated before authentication, an attacker can exploit it immediately after establishing a connection by sending specially crafted protocol messages.
A successful exploit can cause a complete system crash if telnetd is running with root privileges. This, in turn, can open the door to a variety of post-exploitation activities, including the deployment of persistent backdoors, data exfiltration, and lateral movement using vulnerable hosts as pivot points.
“An unauthorized attacker can initiate it by connecting to port 23 and sending a crafted SLC suboption with multiple triplets,” according to Dream security researcher Adiel Sol.
“No login is required; the bug is hit during the option dialog, before the login prompt. The overflow corrupts memory and can be turned into nonsense writing. In fact, this can lead to remote code execution. Because telnetd often runs as root (eg, under inetd or xinetd), a successful exploit can give a system attacker full control of the system.”
If there is no fix, it is advised to disable the service if it is not needed, use telnetd without root privileges when needed, block port 23 in the network perimeter and host-based security level to limit access, and isolate Telnet access.
This disclosure comes nearly two months after the disclosure of a critical security flaw in GNU InetUtils telnetd (CVE-2026-24061, CVSS score: 9.8) that could be exploited to gain root access to a target system. The vulnerability has since been subject to active exploitation in the wild, according to the Cybersecurity and Infrastructure Security Agency of the US.
