Critical Telnetd Vulnerability Enables Remote Attacker to Execute Arbitrary Code via Port 23

The GNU Inetutils telnetd daemon has a serious buffer overflow flaw. This flaw, which is tracked as CVE-2026-32746, lets an unauthenticated remote attacker run any code they want and get root access to affected systems. The vulnerability doesn't need any user interaction and has a very easy way to be exploited, which is why defenders of legacy infrastructure need to be warned right away.

Dream Security Research says that the main problem is how the telnetd daemon deals with LINEMODE SLC (Set Local Characters) option negotiation. During the initial connection handshake, an attacker can send a message that is specially designed to cause a classic buffer overflow. The exploit doesn't need any valid credentials because this happens before any authentication prompt shows up. On March 11, 2026, Dream Security researchers told the GNU Inetutils team about the problem.

The Telnetd vulnerability lets attackers attack from afar. The maintainers quickly confirmed the finding and approved a patch, but the official release won't happen until April 1, 2026. Even though active exploitation hasn't been seen in the wild, the attack's low complexity requires immediate defensive action.

Telnet is no longer used much in modern IT networks because SSH is better, but it is still very common in Industrial Control Systems (ICS), operational technology (OT), and government settings. Telnet is often the only way to remotely manage old programmable logic controllers (PLCs) and SCADA systems. Upgrading these systems is well-known to be costly and disruptive to operations, which means that companies have to deal with long-term exposure. Because inetd or xinetd usually runs the telnetd service as root, a successful exploit gives the attacker full control of the host.

Attackers can set up permanent backdoors, steal sensitive operational data, or use the hacked device as a base to launch more serious attacks on physical manufacturing lines, water treatment plants, or power grids. While a formal patch is still in the works, security teams must find quick fixes to protect systems that are vulnerable. The best way to protect yourself is to turn off the telnetd service.

If the service is still needed for business, network admins should block port 23 at the perimeter firewall to limit access to only trusted hosts. If you run telnetd without root privileges, it can also make a successful exploit less dangerous.

Researchers at Dream Security say that normal authentication logs won't catch this attack because it happens during the first phase of option negotiation. Defenders need to use network-level logging and packet capture to find threats. Companies should set up their firewalls to log all new connections to port 23 and use Intrusion Detection System (IDS) signatures to warn them about LINEMODE SLC suboptions that have payloads that are bigger than 90 bytes.

To stop hackers from deleting forensic evidence after getting root access, all logs must be sent to a central SIEM. for daily ZeroOwl on Twitter, LinkedIn, and X. Get in touch with us to share your stories.