Critical Flaw in GNU InetUtils Telnetd Allows Unauthenticated Root Access
Cybersecurity researchers have publicly disclosed a critical security vulnerability in the GNU InetUtils telnet daemon (telnetd) that enables unauthenticated remote attackers to execute arbitrary code with elevated privileges. Tracked as CVE-2026-32746, the vulnerability was reported by The Hacker News on March 18, 2026 and represents a significant risk for any system running the GNU telnet daemon exposed over the network.
GNU InetUtils is a collection of common networking tools — including telnet, ftp, rsh, and others — distributed with many Linux and Unix-derived systems. The telnetd server component provides a Telnet listening service on TCP port 23 and is still present in a wide range of embedded systems, industrial control systems, legacy servers, and networking equipment.
No patch is currently available. Administrators are urged to disable or firewall telnetd immediately.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE | CVE-2026-32746 |
| Severity | Critical |
| Affected Software | GNU InetUtils telnetd |
| Attack Vector | Network |
| Authentication Required | None |
| User Interaction | None |
| Privilege Level Achieved | Elevated (root or equivalent) |
| Patch Available | No |
| Disclosed | March 18, 2026 |
How the Vulnerability Works
The flaw resides in the GNU InetUtils telnet daemon (telnetd), the server-side component that accepts inbound Telnet connections on port 23. The vulnerability can be triggered without authentication — before any login prompt is presented to a connecting client.
Attack Flow
1. Attacker identifies a system running telnetd on TCP port 23
2. Attacker sends a specially crafted Telnet protocol packet to the daemon
3. The malformed packet triggers a memory corruption or logic error
in the telnetd option negotiation or initialization routines
4. The vulnerability is exploitable pre-authentication — before any
user credentials are requested or validated
5. Successful exploitation gives the attacker code execution with the
privileges of the telnetd process (typically root)
6. Attacker has full unauthenticated remote root access to the hostWhy Pre-Auth Matters
Most network service vulnerabilities require at least a valid username or some form of authentication. CVE-2026-32746 requires nothing — an attacker can begin exploitation the moment a TCP connection is established to port 23. This eliminates authentication logging as a detection signal and allows exploitation to occur without any credential data ever being submitted.
For systems where telnetd is internet-facing, this is a trivially exploitable, unauthenticated root compromise.
Affected Systems
GNU InetUtils is distributed with or present on a wide range of systems:
| System Type | Exposure Level | Notes |
|---|---|---|
| Linux servers with telnetd enabled | Critical | Any internet-exposed instance is trivially exploitable |
| Embedded systems and appliances | High | Many use GNU InetUtils for management access |
| Industrial Control Systems (ICS/SCADA) | High | Legacy telnet access common; patching often constrained |
| Network equipment | Medium | Some devices use GNU telnetd for fallback management |
| Legacy Unix/Linux VMs | Medium | Old systems may have telnetd enabled by default |
| Docker containers with telnetd | Medium | Any exposed container with the daemon running |
A notable concern is industrial and embedded environments where telnetd is often the only available remote management interface and firmware updates may not be possible on a short timeline.
Why Is Telnet Still in Use?
Despite being decades old and widely acknowledged as insecure (it transmits credentials and data in plaintext), Telnet persists in several contexts:
- Legacy infrastructure — systems that predate SSH or where SSH cannot be retrofitted
- Industrial equipment — PLCs, HMIs, and SCADA systems with Telnet management interfaces
- Embedded devices — routers, switches, printers, and appliances from vendors who have not adopted SSH
- Development and testing — internal lab environments where convenience is prioritized
- Out-of-band access — some management networks use Telnet as a fallback protocol
CVE-2026-32746 transforms the latent risk of running telnetd into an immediate, critical attack surface.
Impact Assessment
| Impact Area | Description |
|---|---|
| Internet-exposed telnetd | Trivial unauthenticated root compromise — mass scanning and exploitation likely |
| Internal network exposure | Any attacker with internal access can achieve root on systems with telnetd |
| ICS/OT environments | Critical risk — telnetd common in OT environments; exploitation could disrupt operations or damage equipment |
| Cloud/hosting infrastructure | Any VPS or cloud instance with port 23 open is directly exploitable |
| Credential harvesting | Root access enables credential theft from all users on the compromised host |
Immediate Mitigations
No patch is currently available. The following compensating controls must be applied now.
1. Disable telnetd Immediately
This is the definitive fix. Disable the telnet daemon on all systems where it is not absolutely required.
systemd-based Linux systems:
# Stop and disable the telnet daemon
sudo systemctl stop telnetd
sudo systemctl disable telnetd
# If using inetd/xinetd, comment out the telnet entry
sudo nano /etc/inetd.conf # comment out: telnet stream tcp nowait root /usr/sbin/telnetd
sudo nano /etc/xinetd.d/telnet # set: disable = yes
sudo systemctl restart inetdVerify no telnetd process is running:
ps aux | grep telnetd
ss -tlnp | grep :232. Block Port 23 at the Firewall
If telnetd cannot be immediately disabled (e.g., embedded systems with no remote management alternative), block all inbound access to TCP port 23 at the network perimeter.
# Block inbound Telnet from any untrusted source
iptables -I INPUT -p tcp --dport 23 -s <TRUSTED_MGMT_CIDR> -j ACCEPT
iptables -I INPUT -p tcp --dport 23 -j DROP
# IPv6
ip6tables -I INPUT -p tcp --dport 23 -j DROP3. Network Segmentation for ICS/OT Environments
For industrial environments where disabling telnetd or patching is not immediately possible:
- Place all systems with telnetd on isolated network segments
- Block all routing between the OT/ICS network and corporate IT networks
- Require a hardened jump server for any access to the isolated segment
- Log all access to the segment for anomaly detection
4. Scan Your Environment
# Identify all systems with port 23 open internally
nmap -p 23 --open <INTERNAL_SUBNET>
# Check for GNU telnetd banner specifically
nmap -p 23 --script telnet-ntlm-info <TARGET>Detection Guidance
| Detection Signal | Description |
|---|---|
| Unexpected processes as root spawned by telnetd | Post-exploitation code execution |
| Network connections on port 23 from unexpected sources | Scanning or exploitation attempts |
| Telnet banner responses in IDS/NDR alerts | Confirm telnetd is still running and exposed |
| New root-level accounts or SSH keys | Post-exploitation persistence |
| Unusual outbound connections from servers with port 23 open | Potential C2 communication after compromise |
Given the pre-authentication nature of this flaw, no authentication event will appear in logs when exploitation occurs. Network-level detections and process monitoring are the primary signals available.
Key Takeaways
- CVE-2026-32746 is a pre-authentication, root-level RCE in GNU InetUtils telnetd — one of the most severe vulnerability classes possible
- No patch is available — organizations must apply compensating controls (disable telnetd, block port 23) immediately
- Mass scanning for port 23 is likely once this vulnerability becomes widely known — internet-exposed instances face near-certain compromise
- Industrial and embedded environments face the greatest operational risk due to limited ability to disable telnetd or apply rapid updates
- Telnet as a protocol should have been retired years ago — this disclosure provides a definitive business case to eliminate telnetd entirely from all non-critical legacy systems
- Where telnetd is absolutely required, treat those systems as maximally restricted and isolated from all other network segments until a patch is available