Tracked as CVE-2026-32746, the flaw carries a CVSS 3.1 score of 9.8 and stems from a classic buffer overflow (CWE-120) in the LINEMODE Set Local Characters (SLC) option handler.
The issue was discovered by Dream Security Labs and affects all versions of GNU Inetutils telnetd up to version 2.7.
The vulnerability exists in the way telnetd processes LINEMODE SLC negotiation during the initial connection phase.
An attacker can exploit this flaw by sending a specially crafted Telnet message immediately after establishing a TCP connection on port 23 before any authentication occurs.
Because the vulnerable code is triggered during protocol negotiation, no credentials or user interaction are required. A single malicious packet containing an oversized SLC suboption can overflow the buffer, enabling arbitrary code execution.
In typical deployments, telnetd runs with root privileges via inetd or xinetd. As a result, successful exploitation grants attackers full system-level access, allowing them to execute commands, install persistent backdoors, and pivot deeper into the network.
Although Telnet is considered obsolete due to its lack of encryption, it remains widely used in industrial control systems (ICS), operational technology (OT), and certain government networks.
Many of these environments rely on legacy infrastructure such as PLCs, SCADA systems, and embedded devices that were designed with Telnet as their primary management interface.
Upgrading or replacing these systems is often difficult due to cost, operational constraints, or lack of vendor support. This makes them particularly vulnerable to newly discovered flaws like CVE-2026-32746.
For example, a Telnet-enabled SCADA controller exposed to a network could be remotely compromised with a single connection, potentially allowing attackers to manipulate physical processes such as power distribution or manufacturing operations.
The vulnerability impacts a wide range of environments where GNU Inetutils telnetd is deployed, including:
Any system running the vulnerable code path is exposed as soon as a client initiates a Telnet session and negotiates LINEMODE.
Detection of exploitation attempts is difficult because the attack occurs before authentication, meaning traditional logs such as /var/log/auth.log will not capture malicious activity.
Defenders should instead rely on network-level visibility. Indicators of compromise include unusually large LINEMODE SLC suboption payloads during Telnet sessions.
Security teams are advised to enable firewall logging for inbound connections on port 23 and deploy intrusion detection signatures capable of inspecting Telnet option negotiation traffic.
Packet capture can also help identify abnormal SLC triplet counts, which are a strong signal of exploitation attempts.
No patch is available at the time of disclosure, making immediate mitigation critical. Organizations are strongly advised to disable telnetd wherever possible and transition to secure alternatives such as SSH.
If Telnet cannot be removed, access to port 23 should be strictly limited using firewall rules, and the service should be isolated from untrusted networks.
Running telnetd with reduced privileges can also help minimize the impact of exploitation.
Given the low complexity and pre-auth nature of this vulnerability, defenders should treat any exposed Telnet service as high risk until a fix is released.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Telnetd Vulnerability Allows Remote Code Execution Attacks appeared first on Cyber Security News.
Fresh from its huge early access launch, underwater survival and crafting adventure game Subnautica 2…
dither-avatar is a lightweight, zero-dependency JavaScript library that generates deterministic, dithered SVG avatars from any…
The cyber battlefield in Eastern Europe is escalating once again. Relentless Russian state-sponsored threat actors…
Three critical vulnerabilities have been disclosed in n8n, the popular open-source workflow automation platform, any…
A critical pre-authentication remote code execution (RCE) vulnerability has been discovered in Marimo, a widely…
A critical heap buffer overflow flaw in F5 NGINX, tracked as CVE-2026-42945, has moved from disclosure…
This website uses cookies.