Securityaffairs.Co
Critical RCE Vulnerability in GNU InetUtils telnetd Exposes Systems to Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical vulnerability, CVE-2026-32746, has been discovered in the GNU InetUtils telnetd daemon, affecting all versions up to and including 2.7. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges by sending a specially crafted message during the Telnet handshake on port 23. The vulnerability is classified as a buffer overflow and has a CVSS score of 9.8, indicating its critical nature. It poses a significant risk, especially to Industrial Control Systems (ICS) and operational technology (OT) environments where Telnet is still widely used. As of now, there are no confirmed instances of active exploitation, but the potential for imminent attacks is high due to the availability of technical details in public forums. Organizations are urged to restrict access to telnetd and consider migrating to more secure protocols like SSH. A patch is expected to be released on April 1, 2026, but until then, immediate mitigation measures are necessary.
Key Points: • CVE-2026-32746 allows unauthenticated RCE via GNU InetUtils telnetd on port 23. • The vulnerability has a CVSS score of 9.8 and affects all versions up to 2.7. • Immediate action is required to mitigate risks, with a patch expected on April 1, 2026.