GNU InetUtils telnetd pre-auth buffer overflow (CVE-2026-32746)
Vulnerability
Summary
Hide ▲
Show ▼
A critical CVE-2026-32746 flaw in GNU InetUtils telnetd lets an unauthenticated attacker trigger remote code execution as root over port 23, exposing internet-facing Telnet services to full compromise. The bug is an out-of-bounds write in the LINEMODE SLC suboption handler that can be reached during the initial Telnet handshake, before any login prompt appears. Dream says the issue affects all versions through 2.7, and a fix is expected by April 1, 2026. Until then, operators are being told to disable Telnet, block port 23, or run the daemon without root privileges where possible.
Related Happenings
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation Wave
First: 27.02.2026 19:59
Last: 27.02.2026 19:59
Sources 1
About this happening:
More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation WaveAbout this happening: More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
GNU InetUtils telnetd remote authentication bypass (CVE-2026-24061)
Vulnerability
First: 22.01.2026 18:30
Last: 22.01.2026 18:30
Sources 1
About this happening:
A **critical remote authentication bypass** in **GNU InetUtils telnetd** lets attackers skip login and reach **root access** on affected releases. The flaw is tracked as **CVE-202...
GNU InetUtils telnetd remote authentication bypass (CVE-2026-24061)
VulnerabilityAbout this happening: A **critical remote authentication bypass** in **GNU InetUtils telnetd** lets attackers skip login and reach **root access** on affected releases. The flaw is tracked as **CVE-202...
Timeline
-
18.03.2026 07:06 2 articles · 2mo ago
Dream discloses CVE-2026-32746 in GNU InetUtils telnetd
Initial DisclosureDream disclosed CVE-2026-32746, a critical out-of-bounds write in GNU InetUtils telnetd's LINEMODE SLC suboption handler that can let an unauthenticated remote attacker achieve remote code execution as root during the Telnet handshake on port 23. Dream said the flaw affects all versions of the Telnet service implementation through 2.7, with a fix expected no later than April 1, 2026, and advised disabling Telnet, blocking port 23, or running telnetd without root privileges where required.
Show sources
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06
- Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23 — thehackernews.com — 18.03.2026 07:06