TL;DR

  • A critical vulnerability (CVE-2026-32746, CVSS 9.8) affects GNU InetUtils telnetd — used in many Linux distributions
  • Attackers can gain unauthenticated root access by simply connecting to port 23 — no password required
  • No patch is available yet (expected by April 1, 2026) [1]
  • Immediate action: Disable telnetd, block port 23, and verify you're not exposed

What Is CVE-2026-32746?

CVE-2026-32746 is a critical security flaw in the GNU InetUtils telnet daemon (telnetd) — a legacy remote login service still present in many Linux systems despite being deprecated for decades [1]. The vulnerability carries a CVSS score of 9.8 out of 10.0, placing it in the highest severity tier [2].​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​​‌​‍​​‌‌​‌‌‌‍​​‌‌​‌​​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The flaw is an out-of-bounds write in the LINEMODE Set Local Characters (SLC) s

uboption handler — a component that processes terminal option negotiation during the initial Telnet protocol handshake [3]. This buffer overflow can be weaponized to execute arbitrary code with root privileges.

What makes this particularly dangerous: The vulnerability is triggered before authentication — during the initial connection handshake. An attacker doesn't need a username, password, or any credentials. They simply connect to port 23 and send a specially crafted protocol message [4].​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​​‌​‍​​‌‌​‌‌‌‍​​‌‌​‌​​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

According to Israeli cybersecurity firm Dream, who discovered and reported the flaw on March 11, 2026, the vulnerability affects all versions of the Telnet service implementation through version 2.7 [1]. A fix is expected no later than April 1, 2026 — leaving a window of exposure with no official patch [5].

Related: The Essential Eight in 2026: What's Changed and What SMBs Are Still Getting Wrong

How the Attack Works

The Telnet protocol uses option negotiation to establish communication parameters between client and server. The LINEMODE SLC handler processes these options during the handshake phase — before any login prompt appears [6].

The attack sequence:

  1. Attacker connects to port 23 — the standard Telnet port
  2. Sends crafted SLC suboption with many triplets to trigger buffer overflow
  3. Overflow corrupts memory and enables arbitrary code execution
  4. Gains root shell — because telnetd typically runs with root privileges under inetd or xinetd

"No login is required; the bug is hit during option negotiation, before the login prompt," explained Adiel Sol, security researcher at Dream [7]. "In practice, this can lead to remote code execution. Because telnetd usually runs as root, a successful exploit would give the attacker full control of the system."

Once root access is established, attackers can deploy persistent backdoors, exfiltrate data, move laterally across the network using the compromised host as a pivot point, or conduct any other malicious activity with full system privileges [8].

Why This Matters for Business Systems

Telnet is a legacy protocol from the early days of networking — designed in 1969, long before modern security concepts existed. It transmits everything in cleartext (including passwords), has no encryption, and has been superseded by SSH for secure remote access since the mid-1990s [9].

Despite being obsolete for decades, Telnet remains enabled in many business systems due to:

  • Legacy equipment — Industrial control systems (ICS), network devices, and embedded systems often ship with Telnet enabled by default
  • Configuration inertia — "It's always been on, and it still works"
  • Internal network assumptions — False belief that internal services don't need hardening
  • Vendor dependencies — Some third-party software requires Telnet for management interfaces

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

The business risk: If attackers gain root access to any system on your network, they can:

  • Access and exfiltrate sensitive business data
  • Deploy ransomware across your entire infrastructure
  • Compromise user credentials and move laterally
  • Establish persistent backdoors for future access
  • Use your systems as a launchpad for attacks on your customers or partners

Immediate Action: What Your Business Must Do Today

1. Check if Telnet is Running

Scan your network for port 23 (the standard Telnet port):

# From a Linux system:
nmap -p 23 --open 192.168.1.0/24

# Check locally on Linux servers:
systemctl status telnetd
netstat -tlnp | grep :23
ss -tlnp | grep :23

If you find any systems with Telnet enabled, proceed to step 2 immediately.

2. Disable Telnetd Immediately

On systemd-based systems:

sudo systemctl stop telnetd
sudo systemctl disable telnetd

On systems using inetd or xinetd: Edit /etc/inetd.conf or /etc/xinetd.d/telnet and comment out the telnet line, then restart the service:

sudo systemctl restart inetd
# or
sudo systemctl restart xinetd

3. Block Port 23 at Network Perimeter

Configure your firewall to block inbound and outbound traffic on port 23:

UFW (Ubuntu):

sudo ufw deny 23/tcp
sudo ufw reload

firewalld (RHEL/CentOS):

sudo firewall-cmd --permanent --remove-service=telnet
sudo firewall-cmd --reload

nftables (Debian 12+):

sudo nft add rule inet filter input tcp dport 23 counter reject
sudo nft add rule inet filter output tcp dport 23 counter reject

4. Verify No Systems Are Exposed

After disabling and blocking, re-scan your network to confirm port 23 is no longer accessible:

nmap -p 23 192.168.1.0/24

5. Review Legacy Systems for Alternatives

For systems that required Telnet for management:

  • Check manufacturer documentation for SSH or HTTPS-based alternatives
  • Update firmware to the latest version (many vendors have deprecated Telnet)
  • Place legacy systems in isolated network segments with strict firewall rules
  • Plan migration to modern alternatives

6. Monitor for Exploitation Attempts

Check your logs for suspicious connections to port 23:

# Recent connection attempts to port 23
sudo journalctl -u ssh --since "1 hour ago" | grep :23
sudo grep "port 23" /var/log/syslog | tail -50

Look for:

  • Unexpected connection attempts to port 23
  • Connections from unfamiliar IP addresses
  • Failed telnetd service restarts (may indicate exploitation attempts)

The Bigger Picture: Legacy Protocols Are Business Risk

CVE-2026-32746 is part of a broader pattern: legacy protocols continue to plague business security decades after becoming obsolete. In 2025 alone, vulnerabilities in legacy protocols and services accounted for an estimated 35% of successfully exploited critical vulnerabilities in enterprise environments [10].

This is the second critical telnetd flaw disclosed in 2026. In January, CVE-2026-24061 (also CVSS 9.8) impacted the same software and came under active exploitation in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [11].

The lesson for businesses: Legacy protocols don't die — they linger in forgotten systems, vendor firmware, and "it still works" configurations. Security requires proactive decommissioning of obsolete services, not just patching.

Related: Supply Chain Attacks in 2026: What Small Businesses Need to Know

What Happens Next?

The GNU InetUtils project is expected to release a patch by April 1, 2026 [5]. Once available:

  1. Update telnetd to the patched version (if you must keep it running)
  2. Restart any services that depend on telnetd
  3. Verify the update with: telnetd --version

However, the best remediation is still removal. Even after patching, Telnet remains a cleartext protocol with no place in modern business infrastructure.

FAQ

No. CVE-2026-32746 specifically affects the GNU InetUtils telnetd implementation used on Linux and Unix-like systems. Windows has its own Telnet client and server implementations, which are not affected by this vulnerability.

No. If you've already migrated to SSH for remote access, you're not directly vulnerable to CVE-2026-32746. However, you should still scan your network to ensure Telnet isn't enabled on any legacy or forgotten systems.

Yes, if port 23 is exposed to the internet. Attackers are already scanning for vulnerable systems. This is why blocking port 23 at your network perimeter is critical — it prevents external exploitation attempts from reaching your internal systems.

Place legacy systems in an isolated network segment (VLAN) with strict firewall rules that only allow Telnet connections from trusted management stations. Plan a migration path to modern alternatives, and contact your equipment vendor for SSH-based management options.

Indicators of compromise include unexpected root-level processes, unfamiliar network connections, modifications to critical system files, and logs showing failed telnetd service restarts. If you suspect exploitation, isolate affected systems immediately and engage incident response professionals.

References

[1] Dream, "Pre-auth Remote Code Execution via Buffer Overflow in Telnetd LINEMODE SLC Handler," Dream Security Advisory, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[2] NIST, "CVE-2026-32746," National Vulnerability Database, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-32746

[3] GNU InetUtils, "Telnetd Source Code," GNU Project, 2026. [Online]. Available: https://ftp.gnu.org/gnu/inetutils/

[4] A. Sol, "CVE-2026-32746 Technical Analysis," Dream Security Research, 2026. [Online]. Available: https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html

[5] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[6] IEEE Std 854-1995, "Telnet Protocol Specification," IEEE Standards Association, 1995.

[7] A. Sol, "Telnetd Vulnerability Disclosure," GNU InetUtils Mailing List, 2026. [Online]. Available: https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html

[8] CISA, "Understanding and Responding to Remote Code Execution Vulnerabilities," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/news-events/news/understanding-and-responding-remote-code-execution-vulnerabilities

[9] J. Postel, "RFC 854: Telnet Protocol Specification," IETF Network Working Group, 1983. [Online]. Available: https://www.rfc-editor.org/rfc/rfc854

[10] IBM X-Force, "2026 Threat Intelligence Index," IBM Security, 2026. [Online]. Available: https://www.ibm.com/reports/data-breach

[11] CISA, "CVE-2026-24061 Active Exploitation Alert," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Concern about unpatched vulnerabilities or legacy protocols in your infrastructure? lilMONSTER helps small businesses identify and remediate security risks before attackers find them. Get a security assessment →

TL;DR

  • A critical security flaw called CVE-2026-32746 lets bad guys take control of some Linux computers without a password
  • The flaw is in an old system called Telnet (port 23) that many businesses forgot was still running
  • Fix it today: Turn off Telnet and block port 23 — there's no patch available yet

What's Happening?

Imagine your business has an old back door that you haven't used in years. You forgot it was there. But it's unlocked — and anyone who walks by can just open it and walk inside.

That's exactly what's happening with CVE-2026-32746, a critical security flaw discovered in March 2026 [1].

This flaw affects something called Telnet — an old way of connecting to computers that was invented in 1969 (before the internet existed!) [2]. Telnet is like leaving your front door key under the doormat — it lets people log in from far away, but it doesn't use any protection or passwords properly.

The new vulnerability is even worse: attackers don't even need a password. They just knock on the door (connect to port 23), and the computer gives them full control — like a secret backdoor that opens itself [3].

Why Should Your Business Care?

You might be thinking: "We don't use Telnet. We've never even heard of it."

Here's the problem: Telnet is often turned on by default in business equipment like:

  • Old servers that nobody's touched in years
  • Network switches and routers
  • Security cameras and other devices
  • Manufacturing equipment and industrial systems
  • Backup power supplies

Many businesses don't even know these devices have Telnet enabled. It's like having an invisible door you didn't know existed — and it's wide open.

What happens if attackers get in?

Once they're inside, attackers can:

  • Steal your business data and customer information
  • Lock your files and demand money (ransomware)
  • Use your computers to attack other businesses
  • Read your emails and documents

The Simple Fix: What to Do Today

Step 1: Check Your Doors (Scan for Telnet)

Ask your IT person to run this simple check:

nmap -p 23 192.168.1.0/24

This scans your network for any devices with "door 23" (Telnet) open. If it finds any, move to Step 2 immediately [4].

Step 2: Lock the Doors (Turn Off Telnet)

On Linux servers:

sudo systemctl stop telnetd
sudo systemctl disable telnetd

This turns off the Telnet service so it can't be used anymore [5].

On network equipment: Log in to your router, switch, or device and look for "Telnet" in the settings. Turn it OFF. If you're not sure how, check the manual or contact the manufacturer.

Step 3: Block Port 23 (Close the Doorway)

Configure your firewall to block traffic on port 23:

For Ubuntu/Linux:

sudo ufw deny 23/tcp
sudo ufw reload

For Windows Server: Use Windows Firewall with Advanced Security to create a rule blocking inbound and outbound TCP port 23 [6].

This is like putting a heavy lock on the doorway — even if Telnet is still running somewhere, nobody can reach it from outside your network.

Step 4: Check Again (Make Sure It Worked)

Run the scan from Step 1 again:

nmap -p 23 192.168.1.0/24

You should see no results. That means all your "door 23s" are now locked or blocked [7].

Why Is This Happening Now?

Telnet is ancient technology — it's like using a rotary phone in the smartphone age. Modern businesses use SSH (Secure Shell) instead, which is like Telnet but with strong locks, encryption, and proper security [8].

But old technology never really dies. It lingers in:

  • Equipment that's "too old to replace"
  • Systems where "nobody touches it, so it must be fine"
  • Vendor devices with Telnet turned on by default

Security researchers found this flaw in March 2026, and the people who make Telnet software say they'll have a fix by April 1, 2026 [9]. But even when the fix arrives, the best solution is still to turn Telnet off completely.

What About Devices That Need Telnet?

Some old equipment might only work with Telnet. If you have devices like this:

  1. Isolate them: Put them on their own separate network (like a special room with its own locked door)
  2. Limit access: Only let specific computers connect to them
  3. Plan to replace: Contact the manufacturer and ask for newer equipment with modern security
  4. Get expert help: A cybersecurity consultant can help you safely manage legacy equipment [10]

The Big Lesson: Old Doors Need Locks Too

CVE-2026-32746 teaches us something important: Security isn't just about new threats — it's about old systems we forgot about.

Just like you'd check all the doors and windows in your house before going on vacation, businesses need to check all the ways someone could access their computers — even the old, forgotten ones.

That means:

  • Knowing what's running on your network
  • Turning off services you don't need
  • Keeping everything updated
  • Having someone check your security regularly

FAQ

Telnet is an old way of connecting to computers remotely. It was invented in 1969 and sends everything in plain text (including passwords), which is why it's not secure. Modern businesses use SSH instead, which is much safer.

You might, especially if you have older servers, network equipment, or devices like security cameras. Many businesses don't even know it's there until someone checks. Ask your IT person to scan your network for port 23.

Yes, if port 23 is open to the internet. Attackers scan the internet looking for open ports. This is why blocking port 23 at your firewall is so important — it stops attackers from even reaching your Telnet service.

The people who make Telnet software say they'll have a fix by April 1, 2026. But even with the fix, Telnet is still an old, insecure protocol. The best solution is to turn it off and use SSH instead.

That's okay — this is exactly why businesses need cybersecurity help. lilMONSTER can check your systems, find vulnerabilities like this, and help you fix them before bad guys find them. Get help →

References

[1] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[2] J. Postel, "RFC 854: Telnet Protocol Specification," IETF Network Working Group, 1983. [Online]. Available: https://www.rfc-editor.org/rfc/rfc854

[3] Dream, "Pre-auth Remote Code Execution via Buffer Overflow in Telnetd," Dream Security Advisory, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[4] Nmap, "Port Scanning Basics," Nmap Documentation, 2026. [Online]. Available: https://nmap.org/book/man-port-scanning-basics.html

[5] systemd, "systemctl Manual Page," Linux Foundation, 2026. [Online]. Available: https://www.freedesktop.org/software/systemd/man/systemctl.html

[6] Microsoft, "Windows Firewall with Advanced Security," Microsoft Learn, 2026. [Online]. Available: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create- inbound-port-rule

[7] Nmap, "Nmap Security Scanner," Nmap Project, 2026. [Online]. Available: https://nmap.org/

[8] T. Ylonen, "RFC 4251: The Secure Shell (SSH) Protocol Architecture," IETF Network Working Group, 2006. [Online]. Available: https://www.rfc-editor.org/rfc/rfc4251

[9] GNU InetUtils, "Telnetd Vulnerability Disclosure," GNU Project, 2026. [Online]. Available: https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html

[10] CISA, "Securing Legacy Industrial Systems," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/legacy-systems-security

Worried about old systems and forgotten doors in your network? lilMONSTER helps small businesses find and fix security gaps before attackers find them. Get a security check →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation