TL;DR

  • A critical vulnerability (CVE-2026-32746, CVSS 9.8) affects GNU InetUtils Telnet daemon
  • The flaw allows unauthenticated remote code execution as root – no login required
  • It's been hiding in the code since 1994 – 32 years of exposure
  • 3,362 internet-exposed hosts are currently vulnerable (as of March 18, 2026)
  • ICS/OT environments are at highest risk – PLCs, SCADA, and network devices still rely on Telnet
  • Immediate action required: disable Telnet, block port 23, or apply patches

Related: CVE-2026-32746: The Critical Telnet Flaw Attackers Are Already Scanning For — What Every Business Must Do​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​​‌​‍​​‌‌​‌‌‌‍​​‌‌​‌​​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The Vulnerability: What Is CVE-2026-32746?

CVE-2026-32746 is a buffer overflow vulnerability in the GNU InetUtils telnet daemon (telnetd) that allows an unauthenticated remote attacker to execute arbitrary code with elevated privileges [1].

The vulnerability carries a CVSS score of 9.8 out of 10 – making it critical severity. It's classified under CWE-120 (buffer copy without proper bounds checking), which is a classic buffer overflow flaw [2].​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​​‌​‍​​‌‌​‌‌‌‍​​‌‌​‌​​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌

‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

What Makes This Different?

This isn't just another critical vulnerability. Here's what makes CVE-2026-32746 particularly dangerous:

  1. Pre-authentication exploitation: Attackers don't need valid credentials. The vulnerability triggers during the initial Telnet handshake – before any login prompt appears [3].

  2. Root privileges by default: Telnetd typically runs with root privileges through inetd or xinetd. Successful exploitation gives attackers complete system compromise [4].

  3. Ancient code, massive blast radius: The vulnerability has existed since 1994 – that's older than many sysadmins have been alive. It's been copied and forked into countless systems over 32 years [5].

  4. Silent exploitation: The attack happens during option negotiation before authentication. Standard authentication logs won't capture these connection attempts [6].

According to Censys data, there are approximately 3,362 exposed hosts vulnerable to CVE-2026-32746 as of March 18, 2026 [7].

How the Attack Works

The vulnerability resides in the LINEMODE SLC (Set Local Characters) negotiation handler within Telnet's protocol options [8].

Here's the attack sequence:

  1. Attacker connects to TCP port 23 (Telnet)
  2. Server sends IAC DO LINEMODE (requesting LINEMODE capability)
  3. Client responds with IAC WILL LINEMODE (enabling the feature)
  4. Server sends LINEMODE SLC suboption with triplets (function, flag, value)
  5. Vulnerable code stores these triplets in a global array without bounds checking
  6. Buffer overflow corrupts ~400 bytes of adjacent memory
  7. With the right memory layout, this leads to arbitrary code execution as root

What's terrifying is that no user interaction is required. A single network connection to port 23 is sufficient to trigger the vulnerability. No credentials, no special network position, no social engineering [9].

Who's Affected?

This is where CVE-2026-32746 becomes particularly concerning for SMBs with industrial or operational technology.

Confirmed Affected Systems [10]:

Operating Systems:

  • GNU InetUtils telnetd (all versions through 2.7)
  • Ubuntu
  • Debian
  • FreeBSD 13 / FreeBSD 15 Port
  • NetBSD 10.1
  • Apple Mac Tahoe (older macOS)
  • Haiku
  • DragonFlyBSD

Network and Industrial Equipment:

  • Citrix NetScaler
  • TrueNAS Core
  • uCLinux (embedded Linux)
  • libmtev (monitoring/console systems)

Industrial and OT Environments:

  • Programmable Logic Controllers (PLCs) with Telnet interfaces
  • SCADA systems with Telnet remote management
  • Network devices manufactured before SSH became standard
  • Legacy industrial equipment where Telnet is the only supported remote management protocol

The watchTowr Labs analysis notes: "Many programmable logic controllers (PLCs), SCADA systems, and network devices deployed in these environments were manufactured before SSH became the standard, and were designed with Telnet as their sole remote management interface" [11].

Why Industrial Environments Are at Risk

Telnet remains prevalent in Industrial Control Systems (ICS) and operational technology (OT) environments for several reasons:

  1. Aging infrastructure: Equipment designed 20+ years ago often only supports Telnet
  2. Prohibitively expensive upgrades: Replacing industrial equipment can cost hundreds of thousands per unit
  3. Operational disruption: Upgrading critical systems requires downtime that manufacturing or utilities can't afford
  4. Vendor support: Some legacy equipment vendors no longer exist, making firmware updates impossible
  5. Long procurement cycles: Government and regulated environments have multi-year change control processes

Dream Security Labs notes: "Replacing or upgrading such systems is often prohibitively expensive, operationally disruptive, or outright impossible without vendor support — which may no longer exist for legacy equipment" [12].

This creates a perfect storm: vulnerable, unpatchable systems controlling critical physical processes, exposed to the network, with a 32-year-old root RCE flaw.

The Business Impact

For SMBs in manufacturing, utilities, or any sector with OT/ICS systems, CVE-2026-32746 represents a catastrophic risk:

1. Direct Control System Compromise

Attackers who exploit this vulnerability gain:

  • Root access to PLCs, SCADA controllers, or industrial gateways
  • Ability to manipulate physical processes – temperature, pressure, flow rates
  • Capacity to disable safety systems or override interlocks
  • Opportunity to cause equipment damage through unsafe operating conditions

2. Lateral Movement to Corporate IT

Once an industrial system is compromised:

  • Attackers can pivot from OT to IT networks
  • Bypass traditional security controls designed for corporate networks
  • Exfiltrate sensitive data from business systems
  • Deploy ransomware across both OT and IT environments

3. Safety and Regulatory Consequences

Industrial cyberattacks have real-world physical consequences:

  • Environmental incidents (chemical spills, releases)
  • Equipment destruction (motors, pumps, turbines)
  • Production shutdowns with revenue impact
  • Regulatory fines for safety and compliance violations
  • Liability for injuries or property damage

According to the 2026 Dragos ICS/OT Cybersecurity Report, 67% of industrial organizations experienced at least one cyber incident in 2025 – a 23% increase from 2024 [13].

Immediate Mitigation Steps

Priority 1: Network Isolation (Do This Today)

  1. Block TCP port 23 at your network perimeter firewall
  2. Implement network segmentation – isolate ICS/OT networks from corporate IT
  3. Disable Telnet on any system where it's not absolutely required
  4. Document all systems with port 23 exposed – including those behind firewalls

Note: This is a temporary containment measure, not a fix. Attackers already inside your network can still exploit vulnerable systems.

Priority 2: Detection and Monitoring

According to Dream Security Labs, standard authentication logs won't capture exploitation attempts because the attack happens before login [14]. You need:

  1. Network-level logging: Configure firewall rules (iptables, nftables, pf) to log all new connections to port 23, including:

    • Source IP addresses
    • Timestamps
    • Connection states

  2. Packet capture: Implement full or partial packet capture of Telnet traffic for forensic analysis

  3. IDS signatures: Deploy intrusion detection systems (Suricata, Snort) with signatures for:

    • LINEMODE SLC suboptions (IAC SB LINEMODE 0x03)
    • Abnormally large payloads (>90 bytes in SLC data)

  4. Centralized logging: Send all logs to a SIEM or external log aggregator to prevent attackers from tampering with forensic evidence on compromised hosts

Priority 3: System Patching or Replacement

  1. Check for patches: GNU InetUtils has released a fix in git commit 6864598a29b652a6b69a958f5cd1318aa2b258af (March 2026) [15]. However, as of March 20, 2026, no official release (beyond vulnerable version 2.7) has been published.

  2. Build from source: If you must run Telnet, clone the fixed commit and build from source. Do not rely on package manager updates until patched releases are available.

  3. Replace Telnet with SSH: For any system that supports it, migrate to SSH with key-based authentication. This is the only reliable long-term fix.

  4. Run without root privileges: Where Telnet must remain operational, configure it to run without root privileges to reduce impact if exploited.

Priority 4: Vulnerability Scanning

Use the detection artifact generator from watchTowr Labs [16] to assess your exposure:

# Probe mode (non-invasive)
python3 watchtowr-vs-Telnetd-CVE-2026-32746.py --rhost <target_ip> --probe

# Full detection (minimal overflow attempt)
python3 watchtowr-vs-Telnetd-CVE-2026-32746.py --rhost <target_ip>

Warning: Even the minimal overflow test carries risk of crashing vulnerable Telnet services. Use probe mode first on production industrial systems.

The Long-Term Fix: OT/IT Security Convergence

CVE-2026-32746 exposes a fundamental problem: industrial security lags decades behind IT security.

According to the 2026 Claroty Biannual ICS/OT Risk Report, 73% of ICS/OT organizations lack visibility into their industrial network assets [17]. You can't protect what you don't know exists.

What SMBs with Industrial Systems Should Do

This Week:

  1. Inventory all systems with Telnet enabled (including serial-to-Ethernet converters)
  2. Block port 23 at network boundaries
  3. Implement network segmentation between IT and OT networks
  4. Enable logging for all Telnet connections

This Month:

  1. Replace Telnet with SSH wherever possible
  2. Build from patched source for systems that must run Telnet
  3. Deploy IDS signatures for LINEMODE SLC exploitation
  4. Test industrial systems for vulnerability (in a safe, isolated environment)

This Quarter:

  1. Develop a migration plan for legacy equipment that only supports Telnet
  2. Budget for equipment replacement where Telnet is the only option
  3. Implement OT-specific security monitoring (like Dragos, Nozomi, or Claroty)
  4. Conduct a penetration test focused on ICS/OT exposure

This Year:

  1. Achieve IT/OT network segmentation with proper firewalls and DMZs
  2. Replace all end-of-life industrial equipment with insecure protocols
  3. Implement an industrial SOC with 24/7 monitoring for OT anomalies
  4. Achieve compliance with IEC 62443 (industrial automation security standards)

Related: The Essential Eight in 2026: What's Changed and What SMBs Are Still Getting Wrong

The "It Can't Happen to Me" Fallacy

You might be thinking: "We don't use Telnet. We're safe."

Here's why that thinking is dangerous:

1. Shadow Telnet Services

Security researchers frequently find forgotten Telnet services on:

  • Development servers left in production
  • Test environments never decommissioned
  • Default configurations on new appliances
  • Legacy systems inherited through acquisitions

2. Third-Party Risk

Your vendors, suppliers, or service providers might use Telnet to connect to your systems. When they're compromised, you're exposed.

3. Serial-to-Ethernet Converters

Many industrial environments use terminal servers or console servers that provide Ethernet access to serial-port equipment. These devices frequently expose Telnet without adequate security.

4. VPN and Remote Access Risks

If an attacker gains VPN access (through phishing, credential theft, or a zero-day), they can scan your internal network for port 23 and exploit vulnerable systems from inside your perimeter.

According to the 2026 Sophos State of Ransomware report, 42% of ransomware attacks now originate through VPN or remote access vulnerabilities [18].

The Bottom Line

CVE-2026-32746 is a 32-year mistake that should have been caught decades ago. But here we are in 2026, with thousands of vulnerable systems exposed to the internet and countless more hiding in industrial networks worldwide.

For SMBs, this isn't just a technical vulnerability – it's a business risk:

  • Manufacturing businesses face production shutdowns
  • Utilities face service disruptions and regulatory penalties
  • Healthcare organizations face patient safety risks
  • Any business with OT/ICS systems faces potential physical damage

The question isn't whether attackers will exploit this vulnerability. The question is whether they'll exploit it in your environment.

Industrial security isn't optional anymore – it's business survival. lilMONSTER helps SMBs with ICS/OT systems identify hidden vulnerabilities, implement defense-in-depth for industrial networks, and build incident response capabilities that work for both IT and OT environments.

Book a free consultation and let's secure your industrial systems before they become someone's practice target.

FAQ

CVE-2026-32746 is a critical buffer overflow vulnerability (CVSS 9.8) in the GNU InetUtils Telnet daemon (telnetd) that allows unauthenticated remote attackers to execute arbitrary code with root privileges. The vulnerability has existed in the code since 1994 – 32 years – and affects Linux distributions, BSD systems, and countless embedded and industrial devices that copied the vulnerable code [1][2][5].

The vulnerability is triggered during Telnet protocol option negotiation, specifically in the LINEMODE SLC (Set Local Characters) handler. Attackers send a specially crafted Telnet handshake with malformed SLC triplets that overflow a global buffer, corrupting adjacent memory. With the right memory layout, this leads to remote code execution as root – all before any login prompt appears, requiring no authentication or user interaction [3][8][9].

Telnet remains prevalent in ICS/OT environments because many PLCs, SCADA systems, and industrial devices were manufactured before SSH became standard. Replacing this legacy equipment is often prohibitively expensive or operationally disruptive. When attackers exploit CVE-2026-32746 on industrial systems, they gain root access to equipment controlling physical processes – power grids, water treatment, manufacturing lines – enabling sabotage, equipment damage, or safety incidents [11][12].

Immediate actions: (1) Block TCP port 23 at network firewalls, (2) Disable Telnet on any system where it's not required, (3) Implement network segmentation to isolate ICS/OT networks, (4) Enable network-level logging for all port 23 connections, (5) Deploy IDS signatures for LINEMODE SLC exploitation attempts. Long-term: Replace Telnet with SSH wherever possible, build from patched source for systems that must run Telnet, budget for replacement of legacy equipment that only supports Telnet [14][15][16].

According to Censys data from March 18, 2026, approximately 3,362 internet-exposed hosts are vulnerable to CVE-2026-32746. However, this likely represents only a fraction of the total vulnerable systems, as many ICS/OT devices are not directly exposed to the internet but are accessible via VPN or internal networks. The vulnerability affects all versions of GNU InetUtils telnetd through 2.7, and has been copied into FreeBSD, NetBSD, Apple macOS, Citrix NetScaler, TrueNAS, uCLinux, and countless embedded systems over 32 years [7][10].

References

[1] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," March 20, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[2] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd, exposing ICS and OT systems," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

[3] Dream Security, "Vulnerability advisory: Pre-Auth Remote Code Execution via Buffer Overflow in telnetd LINEMODE SLC Handler," March 13, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[4] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," March 20, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[5] watchTowr Labs, "A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)," March 20, 2026. [Online]. Available: https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

[6] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

[7] Censys, "Censys Advisory: CVE-2026-32746," March 18, 2026. [Online]. Available: https://censys.com/advisory/cve-2026-32746-3/

[8] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," March 20, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[9] Dream Security, "Vulnerability advisory: Pre-Auth Remote Code Execution via Buffer Overflow in telnetd LINEMODE SLC Handler," March 13, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[10] watchTowr Labs, "A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)," March 20, 2026. [Online]. Available: https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

[11] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

[12] Dream Security, "Vulnerability advisory: Pre-Auth Remote Code Execution via Buffer Overflow in telnetd LINEMODE SLC Handler," March 13, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[13] Dragos, "2026 ICS/OT Cybersecurity Year in Review," Dragos, 2026. [Online]. Available: https://dragos.com/resource/2026-ics-cybersecurity-year-in-review

[14] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

[15] GNU InetUtils, "Git commit 6864598a29b652a6b69a958f5cd1318aa2b258af," March 2026. [Online]. Available: https://codeberg.org/inetutils/inetutils/commit/6864598a29b652a6b69a958f5cd1318aa2b258af

[16] watchTowr Labs, "CVE-2026-32746 Detection Artifact Generator," March 2026. [Online]. Available: https://github.com/watchtowrlabs/watchtowr-vs-telnetd-CVE-2026-32746

[17] Claroty, "Biannual ICS/OT Risk Report H2 2025," Claroty, 2025. [Online]. Available: https://claroty.com/resources/report/biannual-ics-risk-report

[18] Sophos, "State of Ransomware 2026," Sophos, 2026. [Online]. Available: https://www.sophos.com/state-of-ransomware

TL;DR

  • A mistake made in 1994 is still letting hackers break into computers today
  • It's called CVE-2026-32746 and it affects a system called Telnet
  • Hackers can use it to get total control of a computer without even knowing the password
  • It's especially dangerous for factories, power plants, and other industrial equipment
  • About 3,362 systems are currently vulnerable on the internet
  • Businesses need to block the problem port (23) and fix their systems right away

What Happened?

Imagine someone built a house in 1994 and forgot to put locks on the doors. Not just one house – thousands of houses. And nobody noticed for 32 years.

That's basically what happened with CVE-2026-32746.

The Technical Part (Made Simple)

Telnet is an old way for computers to talk to each other. It's like a phone connection for computers – one computer can type commands and another computer will do what it says.

The problem is in a part of Telnet called LINEMODE. Here's what went wrong:

  1. When two computers connect using Telnet, they have a quick conversation first to agree on how they'll talk to each other
  2. During this conversation, one computer sends a list of settings to the other
  3. The vulnerable computer was supposed to check if this list was too long
  4. But it forgot to check!
  5. So a hacker could send a list that's way too long
  6. This list would overflow into other parts of the computer's memory
  7. With careful planning, the hacker could make the computer run any code they wanted

The worst part? This happens before the computer even asks for a password [1].

Why It's Called a "Buffer Overflow"

Imagine you have a bucket that can hold 10 cups of water. If you try to pour 20 cups in, 10 cups will fit in the bucket and the other 10 will spill all over the floor.

A computer buffer is like that bucket. It's a space in memory meant to hold a specific amount of data. When programmers forgot to check if the data was too big, the extra data would "spill" into other parts of memory.

In modern programming, we check the bucket size before pouring. But in 1994, programmers didn't always remember to do this [2].

How Long Has This Been a Problem?

This vulnerability has been in the code since 1994 – that's 32 years ago [3]!

To put that in perspective:

  • The World Wide Web was barely starting
  • Most people didn't have email yet
  • Mobile phones were giant bricks
  • Many people reading this weren't even born

Over those 32 years, this vulnerable code was copied into thousands of different systems:

  • Different versions of Linux
  • Different versions of BSD (another operating system)
  • Network equipment
  • Industrial machines
  • All kinds of devices that needed remote control

It's like someone made a copy of a house key and handed it out to thousands of people, and nobody realized the key didn't have any special notches – it could open any lock.

Why This Matters for Factories and Industrial Equipment

This is the scary part.

Telnet is still used in lots of industrial equipment – the machines that run factories, power plants, water treatment facilities, and more [4].

Why are they still using something from 1994?

1. Old Equipment Is Expensive to Replace

Imagine you own a factory. You have a machine that makes your product. It cost $500,000 when you bought it 20 years ago, and it still works perfectly.

But it was built to use Telnet for remote control. If you want to make it secure, you have two choices:

  • Option A: Buy a new machine for $800,000
  • Option B: Keep using the old one and hope nobody hacks it

Many businesses choose Option B because they can't afford Option A.

2. Upgrading Means Shutting Down

To upgrade an industrial system, you often have to turn off the equipment. For a factory, that means:

  • No production
  • No money coming in
  • Employees sitting around
  • Contracts getting delayed
  • Possibly millions of dollars in losses

Many businesses would rather take the risk than lose that money.

3. The Manufacturer Might Not Exist Anymore

Some industrial equipment was made by companies that went out of business years ago. There's nobody to call for an upgrade or a fix [5].

It's like having a car from a company that doesn't exist anymore. If something breaks, you can't order parts from the manufacturer.

What Happens When Hackers Exploit This?

When a hacker exploits CVE-2026-32746 on an industrial system, they get root access – that means total control.

They could:

  • Change machine settings – make things run too fast or too hot
  • Turn off safety systems – disable emergency stops or alarms
  • Cause equipment damage – burn out motors or break machinery
  • Shut down production – stop the factory from working
  • Move to other computers – use the factory computer as a stepping stone to attack the business network

Imagine someone breaking into the control room of a factory and being able to push any button they want. That's what this vulnerability gives hackers.

Real-World Consequences

This isn't just theoretical. Industrial cyberattacks have already caused:

  • Power outages when attackers hacked electrical grids
  • Water contamination when attackers changed chemical mixtures
  • Factory fires when attackers disabled safety systems
  • Pipeline shutdowns when attackers encrypted control systems
  • Millions of dollars in losses from equipment damage and production downtime

According to a 2026 report by Dragos (a company that protects industrial systems), 67% of industrial organizations had at least one cyber incident in 2025 – that's up 23% from the year before [6].

What Businesses Should Do Right Now

If your business has any industrial equipment or computer systems, here's what you need to do:

Step 1: Block Port 23 (Do This Today)

Telnet uses a specific "door" called port 23. Even if you can't fix the vulnerability right now, you can close the door.

  1. Find your firewall settings – this is like the security gate for your network
  2. Block incoming traffic on port 23 – this prevents hackers from the internet reaching your Telnet systems
  3. Document what you did – keep records in case you need to prove you took action

This doesn't fix the problem, but it's like putting a padlock on a door that has a broken lock – it's not perfect, but it's better than nothing.

Step 2: Find All Your Telnet Systems

You can't protect what you don't know about.

  1. Make a list of every computer, device, or piece of equipment that might use Telnet
  2. Check network equipment – routers, switches, and other networking gear often have Telnet enabled
  3. Check industrial equipment – PLCs, SCADA systems, controllers
  4. Check for forgotten systems – old test servers, development machines, equipment left by previous companies

Many businesses don't even realize how many Telnet systems they have until they go looking.

Step 3: Fix or Replace What You Can

For each system you found, decide:

Can we disable Telnet?

  • If yes, turn it off and use SSH instead (SSH is the secure version of remote control)
  • If no, move to the next question

Can we patch the system?

  • Check if the manufacturer has released a fix for CVE-2026-32746
  • Apply the patch if available
  • Note: As of March 2026, official patches are still being released for many systems

Can we replace the system?

  • If it's old equipment that can't be fixed, budget for replacement
  • This might take months or years – but start planning now

If none of the above:

  • Put the system behind a firewall (block port 23 from the internet)
  • Isolate it from your main network (put it in its own separate area)
  • Monitor it closely for any suspicious activity

Step 4: Set Up Monitoring

You need to know if someone is trying to exploit this vulnerability.

  1. Enable logging – configure your firewall to record every connection attempt to port 23
  2. Set up alerts – get notified immediately if someone tries to connect to Telnet
  3. Use intrusion detection – deploy security tools that can recognize attack patterns
  4. Check your logs regularly – someone needs to review the logs to catch suspicious activity

According to security researchers, standard computer logs won't catch these attacks because they happen before login – you need network-level monitoring [7].

The Bigger Lesson

CVE-2026-32746 teaches us something important about computer security:

Old mistakes don't just go away. They get copied, shared, and forgotten about – until someone finds them and uses them to break in.

For businesses, this means:

  • You can't ignore old equipment – it's still part of your security
  • You can't assume you're safe – just because you don't use something doesn't mean it's not there
  • You need to check regularly – security isn't a one-time thing, it's an ongoing process

Think of it like maintaining a house. You can't just check the locks once and never look again. You need to check all the doors and windows regularly, especially the ones you rarely use.

What This Means for Different Types of Businesses

Factories and Manufacturing

You're at high risk. Industrial equipment often uses Telnet, and a successful attack could:

  • Damage expensive machinery
  • Hurt workers if safety systems are disabled
  • Shut down production for days or weeks
  • Cost millions in losses

Utilities and Infrastructure

You're at critical risk. Power plants, water treatment, and other utilities use industrial controls:

  • Attacks could affect public safety
  • Outages could impact thousands of people
  • Regulatory fines for security failures
  • Liability for damages

Small Businesses

You might think you're not at risk, but:

  • Your network equipment (routers, switches) might have Telnet enabled
  • Your vendors or suppliers might be vulnerable
  • Attackers could use your systems as a stepping stone to bigger targets

Every Business

  • Check your systems – you can't protect what you don't know about
  • Block port 23 – close the door even if you think nobody's home
  • Plan for the future – budget to replace old, insecure equipment

The Bottom Line

CVE-2026-32746 is a vulnerability from 1994 that should have been fixed decades ago. But here we are in 2026, and it's still putting businesses at risk.

The question isn't whether hackers will exploit this vulnerability. The question is whether they'll exploit it in your systems.

You can't fix 32 years of mistakes overnight. But you can start today:

  1. Block port 23
  2. Find your Telnet systems
  3. Fix what you can, isolate what you can't
  4. Monitor for attacks

Security isn't about being perfect. It's about being better than yesterday. lilMONSTER helps businesses identify hidden vulnerabilities, secure industrial systems, and build protection that works for both old and new equipment.

Book a free consultation and let's make sure your business isn't the next victim of a 32-year-old mistake.

FAQ

CVE-2026-32746 is a mistake in computer code that was made in 1994 and never fixed. It affects a system called Telnet that lets computers control each other remotely. The mistake lets hackers take complete control of a vulnerable computer without even knowing the password. This vulnerability has been copied into thousands of different systems over 32 years, including factory equipment and other industrial machines [1][2][3].

When code gets copied from one system to another, any mistakes in the original code get copied too. Over 32 years, this vulnerable Telnet code was copied into Linux systems, BSD systems, network equipment, and industrial machines. Many of these systems can't be easily upgraded because they're old, expensive to replace, or the manufacturers don't exist anymore. So the mistake keeps getting passed along like a bad genetic trait [3][4][5].

Imagine you have a bucket that holds 10 cups, but someone pours 20 cups into it. The extra 10 cups spill everywhere. A buffer overflow is the same thing in computers. A program sets aside a small space in memory (the bucket), but the data it receives is too big (too much water). The extra data spills into other parts of memory and can overwrite important stuff. In CVE-2026-32746, hackers carefully craft the overflow to make the computer run their code instead [2].

Many industrial machines (like the ones in factories, power plants, and water treatment facilities) were built 20+ years ago when Telnet was common. These machines often cost hundreds of thousands of dollars and can't easily be replaced. They were designed to be controlled remotely using Telnet, and there's no easy way to upgrade them to use secure alternatives. When hackers exploit this vulnerability on industrial systems, they can control physical equipment – changing settings, disabling safety systems, or causing damage [4][5][6].

Immediate steps: (1) Block port 23 (Telnet's door) at your firewall to prevent internet attackers, (2) Find all systems that use Telnet (including forgotten or inherited ones), (3) Disable Telnet wherever possible and use SSH instead, (4) Isolate systems that can't be fixed – put them behind firewalls and separate them from main networks, (5) Set up monitoring to detect attack attempts. Long-term: Replace old equipment that can't be secured [1][7].

References

[1] The Hacker News, "Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE," March 20, 2026. [Online]. Available: https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

[2] watchTowr Labs, "A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)," March 20, 2026. [Online]. Available: https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

[3] watchTowr Labs, "A 32-Year-Old Bug Walks Into A Telnet Server," March 20, 2026. [Online]. Available: https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

[4] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd, exposing ICS and OT systems," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

[5] Dream Security, "Vulnerability advisory: Pre-Auth Remote Code Execution via Buffer Overflow in telnetd LINEMODE SLC Handler," March 13, 2026. [Online]. Available: https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/

[6] Dragos, "2026 ICS/OT Cybersecurity Year in Review," Dragos, 2026. [Online]. Available: https://dragos.com/resource/2026-ics-cybersecurity-year-in-review

[7] Industrial Cyber, "Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd," March 20, 2026. [Online]. Available: https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation