In March 2026, a critical remote code execution (RCE) vulnerability, CVE-2026-32746, was disclosed in the Telnet daemon (telnetd) of GNU InetUtils. The vulnerability is rated 9.8 (Critical) under the CVSS v3.1 scoring system and stems from a structural flaw that allows attackers to execute arbitrary code remotely prior to authentication. What makes this vulnerability particularly dangerous is that it can be triggered before the login prompt appears, meaning the attack occurs before any authentication process begins. This significantly lowers the barrier to exploitation. An attacker can gain system-level access with a single network connection and a crafted message, without requiring valid credentials or any user interaction.
Although Telnet is often considered a legacy protocol and dismissed as obsolete, real-world exposure tells a different story. Telnet continues to be actively used across various environments, including legacy systems, embedded devices, network appliances, and maintenance interfaces. In many cases, these services remain externally accessible due to misconfigurations or operational convenience, making them persistent entry points into internal systems.
Under these conditions, the disclosure of a vulnerability like CVE-2026-32746, which is exploitable immediately at the pre-authentication stage, can elevate the risk far beyond a typical service flaw. Instead, it transforms all internet-exposed Telnet services into direct attack surfaces, enabling rapid and scalable exploitation.
In this article, we analyze the root cause and exploitation flow of CVE-2026-32746, and examine how exposure of legacy services can translate into real-world compromise scenarios.
GNU InetUtils telnetd Vulnerability Overview
| Category | Description |
|---|---|
| Vulnerability ID | CVE-2026-32746 |
| Affected Product | GNU InetUtils telnetd |
| Vulnerability Type | Buffer Overflow (CWE-120) |
| CVSS Score | 9.8 (Critical) |
| Key Impact | Remote Code Execution (RCE) without authentication, potential root privilege compromise |
The CVE-2026-32746 vulnerability originates from the Telnet protocol’s option negotiation process. Specifically, it is caused by improper buffer size validation in the LINEMODE SLC (Set Local Characters) handling logic, leading to an out-of-bounds write condition. When an attacker sends a specially crafted SLC message, it can corrupt memory and ultimately result in arbitrary code execution.
This vulnerability is particularly critical due to the following structural weaknesses:
- Protocol handling logic executed prior to authentication
- Lack of input size validation
- Common deployment where the service runs with root privileges
When combined, these conditions allow a simple memory corruption flaw to escalate into a full system compromise, enabling arbitrary code execution with root-level access.
Exploitation Scenario: Full Compromise with a Single Connection
CVE-2026-32746 can be exploited through a remarkably simple yet highly impactful attack flow.
The PoC provides a clear demonstration of how this vulnerability can be exploited in practice. In the screenshot, the left terminal represents a target server running a vulnerable Telnet daemon, while the right terminal shows the attacker executing commands remotely through an exploit script. Notably, commands such as id and hostname are executed with root privileges, without any authentication.
Attack Flow of CVE-2026-32746
- Identification of Exposed Telnet Services
Attackers scan the internet for systems with TCP port 23 open, identifying accessible Telnet services. - Initial Connection and Protocol Negotiation
Upon connection, Telnet initiates an option negotiation process, which is executed prior to authentication. - Delivery of Crafted SLC Payload
The attacker sends a specially crafted LINEMODE SLC suboption message designed to trigger a buffer overflow. - Remote Code Execution (RCE)
By exploiting memory corruption, the attacker executes arbitrary code within the context of the telnetd process. - Root Privilege Compromise and Full System Control
Since most Telnet services run with root privileges, the attacker can immediately gain full control over the system.
Key Characteristics of the Attack:
- No authentication required
- No user interaction required
- Exploitable with a single crafted packet
In essence, this vulnerability represents a low-complexity, high-impact threat, where internet-exposed services can be compromised almost instantly.
Exposure Analysis of GNU InetUtils telnetd Assets
Although Telnet has long been considered insecure and largely replaced by SSH, real-world internet environments tell a different story. Telnet remains widely used across legacy servers, industrial control systems (ICS), IoT devices, and network appliances. In many cases, these services are still directly exposed to the internet due to operational convenience or compatibility requirements, making them persistent entry points for attackers. Before launching sophisticated attacks, threat actors typically conduct reconnaissance to identify accessible services. Services that allow connections without authentication are prioritized as initial access targets.
Using Criminal IP Asset Search, we identified a significant number of globally exposed Telnet assets that meet these conditions. Since this vulnerability specifically affects the GNU InetUtils telnetd implementation, we conducted more precise detection by filtering assets based on the product to refine the analysis.
Criminal IP Search Query: product: telnetd AND port: 23
This query is designed not just to identify assets with an open Telnet port, but to specifically detect internet-exposed services running GNU InetUtils telnetd.
As of late March 2026, Criminal IP Asset Search identified approximately 50,000 assets. These results indicate more than just active services, they represent directly accessible entry points where attackers can attempt connections without any authentication. In the context of a vulnerability like CVE-2026-32746, which is exploitable prior to authentication, these exposed assets can immediately become viable targets for remote code execution (RCE), without requiring additional reconnaissance or privilege escalation.
Further analysis reveals that some of these assets expose additional management ports alongside Telnet, such as SSH (22) and HTTP servers (8443). In such environments, an initial compromise via Telnet can easily lead to lateral movement and deeper access into internal systems.
Mitigation and Recommendations
CVE-2026-32746 enables pre-authentication remote code execution, meaning that any externally accessible service can be compromised instantly. Therefore, mitigation should focus not only on patching but also on eliminating unnecessary exposure.
Immediate Risk Mitigation
- Block external access to TCP port 23
Since Telnet allows connections prior to authentication, restricting access to port 23 from external networks is the most effective first step. - Disable Telnet services
Telnet is a legacy protocol based on plaintext communication and is inherently insecure. If not strictly required, the service should be removed entirely. - Minimize network exposure
If Telnet must remain operational, restrict access to internal networks or specific management segments to reduce the attack surface.
Fundamental Remediation
- Apply official patches (GNU InetUtils update)
Update vulnerable telnetd versions to the latest patched release to eliminate the underlying vulnerability. - Restrict service privileges
Since telnetd often runs with root privileges, successful exploitation can lead to full system compromise. Where possible, configure the service to run under least-privileged accounts.
Long-Term Security Recommendations
- Migrate to secure protocols (e.g., SSH)
Replace Telnet with encrypted protocols like SSH to eliminate inherent security weaknesses. - Audit legacy service usage
Identify and phase out Telnet and similar legacy protocols across the organization. - Continuously monitor exposed services
Leverage Attack Surface Management (ASM) solutions such as Criminal IP ASM to continuously detect and manage externally exposed services.
FAQ
Q1. Why is CVE-2026-32746 rated 9.8 (Critical)?
CVE-2026-32746 is a network-exploitable, pre-authentication RCE vulnerability. It can be triggered during the Telnet protocol’s initial negotiation phase, before login, making exploitation extremely straightforward. An attacker only needs to connect to TCP port 23 and send a crafted message to execute code, without requiring credentials or user interaction.
Additionally, since telnetd often runs with elevated privileges, successful exploitation can lead to full system compromise. These factors—low complexity, high impact, and ease of exploitation—contribute to its CVSS 9.8 (Critical) rating.
Q2. What if Telnet must be used in an operational environment?
If Telnet usage is unavoidable, the following controls must be strictly enforced:
- Block access from external networks
- Restrict access to specific management IPs or networks
- Implement indirect access via VPN or additional authentication layers
- Minimize service execution privileges
- Strengthen logging and session monitoring
However, since Telnet inherently relies on unencrypted communication, it is strongly recommended to transition to secure alternatives such as SSH whenever possible.
Conclusion
CVE-2026-32746 is not just a typical buffer overflow vulnerability, it demonstrates how legacy protocols combined with pre-authentication processing flaws can evolve into critical attack vectors. Services like Telnet, despite being outdated, still operate in many environments in ways that allow a single vulnerability to result in full system compromise.
Modern security is no longer just about patching vulnerabilities. It requires asking a more fundamental question: “Why is this service still exposed to the internet?” The continued use and exposure of legacy services inherently provide attackers with opportunities for exploitation.
Organizations must go beyond patch management and adopt an Attack Surface Management (ASM)-driven security strategy, continuously identifying and controlling all internet-exposed assets.
In relation to this, you can also refer to CVE-2026-24061: Analysis of GNU Inetutils telnetd Authentication Bypass Vulnerability
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://search.criminalip.io/), NIST (https://nvd.nist.gov/vuln/detail/CVE-2026-32746), The Hacker News (https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html)
Related article: https://www.criminalip.io/knowledge-hub/blog/32569