Critical RCE Vulnerability in GNU InetUtils telnetd Exposes Systems to Attacks

Critical RCE Vulnerability in GNU InetUtils telnetd Exposes Systems to Attacks

First seen 18 Mar 2026, 16:13 UTC GbhackersCybersecuritynewsThehackernewsSecurityaffairs.CoRescana+4 88% similarity 74.0

Article Content

Browse articles
ThreatCluster

A critical vulnerability, CVE-2026-32746, has been discovered in the GNU InetUtils telnetd daemon, affecting all versions up to and including 2.7. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges by sending a specially crafted message during the Telnet handshake on port 23. The vulnerability is classified as a buffer overflow and has a CVSS score of 9.8, indicating its critical nature. It poses a significant risk, especially to Industrial Control Systems (ICS) and operational technology (OT) environments where Telnet is still widely used. As of now, there are no confirmed instances of active exploitation, but the potential for imminent attacks is high due to the availability of technical details in public forums. Organizations are urged to restrict access to telnetd and consider migrating to more secure protocols like SSH. A patch is expected to be released on April 1, 2026, but until then, immediate mitigation measures are necessary.

Key Points: • CVE-2026-32746 allows unauthenticated RCE via GNU InetUtils telnetd on port 23. • The vulnerability has a CVSS score of 9.8 and affects all versions up to 2.7. • Immediate action is required to mitigate risks, with a patch expected on April 1, 2026.

ThreatCluster AI

Timeline

2026-01-21
CVE-2026-24061 published
2026-03-13
CVE-2026-32746 published by Dream Security Labs
2026-03-18
First public proof of concept released
2026-04-01
Patch expected for CVE-2026-32746

Community

Browse all →