Security researchers have identified a critical buffer overflow vulnerability in the GNU Inetutils telnetd daemon.
Tracked as CVE-2026-32746, this flaw allows an unauthenticated remote attacker to execute arbitrary code and gain root access to affected systems.
The vulnerability requires zero user interaction and possesses a highly trivial exploitation path, prompting an urgent warning for defenders managing legacy infrastructure.
The core issue stems from how the telnetd daemon handles LINEMODE SLC (Set Local Characters) option negotiation.
An attacker can trigger the classic buffer overflow by sending a specially crafted message during the initial connection handshake.
Because this occurs before any authentication prompt appears, the exploit requires no valid credentials. Dream Security researchers reported the vulnerability to the GNU Inetutils team on March 11, 2026.
Telnetd Vulnerability Enables Remote Attack
Maintainers quickly confirmed the finding and approved a patch, though the official release is not expected until April 1, 2026.
While active exploitation has not been observed in the wild, the attack’s low complexity demands immediate defensive action.
While modern IT networks have largely deprecated Telnet in favor of SSH, the plaintext protocol remains heavily entrenched in Industrial Control Systems (ICS), operational technology (OT), and government environments.
Aging programmable logic controllers (PLCs) and SCADA systems frequently rely on Telnet as their exclusive remote management interface.
Upgrading these systems is notoriously expensive and operationally disruptive, forcing organizations to accept long-term exposure.
Because the telnetd service typically runs as root via inetd or xinetd, a successful exploit yields total host compromise.
Attackers can install persistent backdoors, steal sensitive operational data, or use the breached device as a pivot point to launch deeper attacks against physical manufacturing lines, water treatment facilities, or power grids.
With a formal patch still pending, security teams must implement immediate workarounds to protect exposed systems.
Turning off the telnetd service is the most effective defense. If the service remains operationally necessary, network administrators must block port 23 at the perimeter firewall to restrict access to trusted hosts only.
Running telnetd without root privileges can also limit the blast radius of a successful exploit.
Dream Security researchers warn that standard authentication logs won’t capture this attack, as it executes during the initial option negotiation phase
Defenders must rely on network-level logging and packet capture to identify threats.
Organizations should configure firewall rules to log all new connections to port 23 and deploy Intrusion Detection System (IDS) signatures to alert on LINEMODE SLC suboptions carrying unusually large payloads exceeding 90 bytes.
All logs must be forwarded to a centralized SIEM to prevent attackers from wiping forensic evidence after achieving root access.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
