Executive Summary

A critical, unpatched vulnerability - CVE-2026-32746 - has been identified in the GNU InetUtils telnetd daemon, affecting all versions up to and including 2.7. This flaw enables unauthenticated remote attackers to achieve root-level remote code execution (RCE) by sending a specially crafted Telnet protocol message to port 23, before any authentication occurs. The vulnerability is trivial to exploit, requires no credentials or user interaction, and is currently unmitigated by any official patch. Given the prevalence of telnetd in legacy systems, embedded devices, and certain Linux distributions, this issue poses a severe risk to organizations with exposed Telnet services. Immediate action is required to mitigate exposure and monitor for exploitation attempts.

Technical Information

CVE-2026-32746 is a buffer overflow vulnerability in the LINEMODE SLC (Set Local Characters) suboption handler of GNU InetUtils telnetd. The flaw is rooted in the add_slc function, which fails to verify buffer boundaries when processing SLC suboptions during the Telnet handshake. By sending a maliciously crafted SLC suboption containing an excessive number of triplets, an attacker can trigger an out-of-bounds write, leading to arbitrary memory corruption.

This vulnerability is classified under CWE-120: Buffer Copy without Checking Size of Input. The CVSS v3.1 base score is 9.8 (CRITICAL), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw was discovered by Adiel Sol of Dream Security (Israel) and publicly disclosed on March 11, 2026.

The attack is executed by establishing a TCP connection to port 23 and sending a malformed Telnet handshake message. Because the vulnerability is triggered before the authentication prompt, no credentials are required. Successful exploitation results in remote code execution with root privileges, as telnetd typically runs as root under inetd or xinetd. This allows attackers to fully compromise the target system, install persistent backdoors, exfiltrate data, and move laterally within the network.

Technical references and detailed discussions are available from the NVD, Openwall OSS Security Mailing List, The Hacker News, and the GNU Bug Tracker.

Exploitation in the Wild

As of this report, there are no confirmed public breaches directly attributed to CVE-2026-32746. However, technical details and exploit strategies have been widely circulated on security mailing lists and forums, increasing the likelihood of imminent exploitation. The attack vector is straightforward: a remote attacker connects to port 23 and sends a malicious SLC suboption during the Telnet handshake, resulting in immediate root-level code execution.

No authentication or user interaction is required, and the attack can be performed from any network location with access to the target's port 23. Post-exploitation, attackers can gain persistent access, deploy malware, exfiltrate sensitive data, and use the compromised host as a pivot point for further attacks.

While no public proof-of-concept (PoC) code has been officially released, the technical details are sufficient for skilled attackers to develop working exploits. The risk is further heightened by the recent exploitation of a similar vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, which was reported as actively exploited in the wild by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

APT Groups using this vulnerability

There is currently no direct attribution of CVE-2026-32746 exploitation to any specific Advanced Persistent Threat (APT) group. However, the nature of the vulnerability - unauthenticated remote root access via a legacy protocol - makes it highly attractive to sophisticated threat actors. Historically, APT groups such as APT28 and Lazarus have leveraged Telnet vulnerabilities for initial access and lateral movement, particularly in targeting critical infrastructure, IoT, and industrial control systems.

Given the rapid dissemination of technical details and the ease of exploitation, it is highly probable that APT groups and cybercriminal organizations will incorporate this vulnerability into their toolkits. Organizations should remain vigilant for signs of exploitation and monitor threat intelligence sources for updates on APT activity related to CVE-2026-32746.

Affected Product Versions

All versions of GNU InetUtils telnetd up to and including 2.7 are confirmed as vulnerable. This includes, but is not limited to, the following versions: 1.9.3, 1.9.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7. The vulnerability affects any Linux distribution or embedded/IoT device shipping or enabling telnetd from GNU InetUtils. Examples of affected distributions include Debian, Ubuntu, and SUSE Linux Enterprise Server 12 SP5-LTSS (krb5-appl package), as well as any appliance or device embedding GNU InetUtils telnetd version 2.7 or earlier.

Organizations should review their asset inventories for any instances of telnetd from GNU InetUtils and verify the version in use. Any system running a vulnerable version is at immediate risk if port 23 is exposed.

Workaround and Mitigation

Until an official patch is released, organizations must take immediate steps to mitigate the risk posed by CVE-2026-32746. The most effective mitigation is to disable the telnetd service entirely if it is not strictly required for business operations. Where disabling is not feasible, organizations should block inbound connections to port 23/tcp at both network perimeter and host-based firewalls, ensuring that only trusted management networks have access.

If telnetd must remain operational, it should be configured to run with the least privileges possible, avoiding execution as root. Network segmentation should be enforced to isolate Telnet services from untrusted networks. Continuous monitoring for anomalous connections to port 23, as well as review of system and telnetd logs for handshake anomalies or malformed SLC suboption negotiation attempts, is strongly recommended.

Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions should be leveraged to detect suspicious process spawning from telnetd. Organizations should also monitor for indicators of compromise, such as unauthorized inbound connections to port 23, unexpected processes spawned by telnetd or its parent processes, and the presence of new or modified binaries in system directories following telnetd activity.

References

NVD CVE-2026-32746, The Hacker News: Critical Unpatched Telnetd Flaw, Openwall OSS Security Mailing List, GNU Bug Tracker, SUSE Security Advisory, DEBIAN OSV Entry, OpenCVE Entry

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our advanced TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you identify and mitigate vulnerabilities across your digital ecosystem. If you have questions about this advisory, require assistance with incident response, or need guidance on securing your environment, our team is ready to help. Please contact us at ops@rescana.com.