Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23

2026-03-18

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-32746, CVSS 9.8) has been disclosed in GNU InetUtils telnetd, affecting all versions through 2.7.

•The flaw is an out-of-bounds write in the LINEMODE SLC suboption handler, triggered via a crafted protocol message during the initial connection handshake before authentication
•A single connection to port 23 is sufficient to exploit it — no credentials, user interaction, or special network position required
•Since telnetd typically runs as root under inetd/xinetd, successful exploitation grants full system control
•Post-exploitation risks include persistent backdoor deployment, data exfiltration, and lateral movement using compromised hosts as pivot points
•

Mitigations until the patch (expected by April 1, 2026): disable telnetd if unused, run without root privileges, block port 23 at firewall level, and isolate Telnet access

Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture