A newly revealed serious security hole in GNU The telnetd daemon in Inetutils could let attackers who aren't logged in take full control of affected systems This article explores telnetd version vulnerability. . This is a big problem for older systems that still use Telnet to connect to the internet.

The flaw has a CVSS 3.1 score of 9.8 and is tracked as CVE-2026-32746. It comes from a classic buffer overflow (CWE-120) in the LINEMODE Set Local Characters (SLC) option handler. Dream Security Labs found the problem, which affects all versions of GNU Inetutils telnetd up to version 2.7. There is a vulnerability in how telnetd handles LINEMODE SLC negotiation during the initial connection phase, which allows for pre-auth RCE.

An attacker can exploit this flaw by sending a specially crafted Telnet message immediately after establishing a TCP connection on port 23 before any authentication occurs. There is no need for credentials or user interaction because the vulnerable code is triggered during protocol negotiation. A single bad packet with an oversized SLC suboption can fill up the buffer, which lets any code run.

When telnetd is used normally, it runs with root privileges through inetd or xinetd. As a result, successful exploitation gives attackers full access to the system, which lets them run commands, install backdoors that stay open, and move deeper into the network. Telnet is no longer used because it doesn't encrypt data, but it is still widely used in industrial control systems (ICS), operational technology (OT), and some government networks.

Many of these places still use old technology like PLCs, SCADA systems, and embedded devices that were made to use Telnet as their main management interface. It is often hard to upgrade or replace these systems because of the cost, operational limits, or lack of vendor support. This makes them very open to new bugs like CVE-2026-32746.

For instance, a SCADA controller with Telnet access that is connected to a network could be hacked from a distance with just one connection. This could let attackers change physical processes like power distribution or manufacturing.

Systems that were affected The vulnerability affects a lot of places where GNU Inetutils telnetd is used, such as: If telnetd is installed or turned on, Linux distributions like Debian, Ubuntu, RHEL, and SUSE Embedded systems and IoT devices that have Telnet interfaces Industrial and OT networks that use Telnet to connect to old equipment Listening on TCP port 23 for servers and network appliances As soon as a client starts a Telnet session and negotiates LINEMODE, any system that runs the vulnerable code path is at risk. It is hard to find out when someone is trying to exploit a system because the attack happens before authentication, which means that traditional logs like /var/log/auth.log won't show malicious activity. Instead, defenders should depend on visibility at the network level.

Unusually large LINEMODE SLC suboption payloads during Telnet sessions are signs of a breach.

Security teams should turn on firewall logging for incoming connections on port 23 and use intrusion detection signatures that can look at Telnet option negotiation traffic. Packet capture can also help find unusual SLC triplet counts, which are a strong sign that someone is trying to exploit the system. There is no patch available at the time of disclosure, so quick action is very important.

Organizations should turn off telnetd whenever they can and switch to safer options like SSH. If you can't get rid of Telnet, firewall rules should strictly limit access to port 23, and the service should be kept separate from networks that aren't trusted. Running telnetd with fewer privileges can also help lessen the damage that can be done by exploitation.

Because this vulnerability isn't very complicated and doesn't require authentication, defenders should consider any Telnet service that is open to be very high risk until a fix is found. Make Google your favorite source for ZeroOwl.