Zero-Auth Telnetd Flaw Enables Remote Root RCE in GNU InetUtils (CVE-2026-32746)
TL;DR Summary
A critical unauthenticated flaw in GNU InetUtils telnetd (CVE-2026-32746) allows remote code execution with root privileges by sending crafted LINEMODE SLC options during the initial handshake. Affects all versions up to 2.7; a fix is expected by April 1, 2026. Mitigations include disabling telnetd where possible, running it non-root when needed, and blocking or isolating port 23 at network and host levels. The issue follows a previous high-severity telnetd flaw (CVE-2026-24061) and has been noted as actively exploited in the wild per CISA.
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE The Hacker News
- Critical Telnetd Vulnerability Enables Remote Attacker to Execute Arbitrary Code via Port 23 CyberSecurityNews
- Telnet: Critical vulnerability allows injecting malicious code from the network heise online
- Dream Security flags critical RCE vulnerability in GNU Inetutils telnetd, exposing ICS and OT systems Industrial Cyber
- CVE-2026-32746: Critical Unpatched Vulnerability in GNU InetUtils telnetd Enables Unauthenticated Remote Root Code Execution via Port 23 Rescana
Reading Insights
Total Reads
1
Unique Readers
4
Time Saved
2 min
vs 3 min read
Condensed
82%
463 → 83 words
Want the full story? Read the original article
Read on The Hacker News