Telnetd CVE-2026-32746: Unpatched Flaw Grants Remote Root Access

# Telnetd CVE-2026-32746: Unpatched Flaw Grants Remote Root Access

**Critical vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. in telnetd daemon allows unauthenticated attackers to gain root-level system access**

*Published: [Current Date] | Severity: Critical (CVSS 9.8)*

A critical security vulnerability in the telnet daemon (telnetd) has been discovered that allows remote attackers to gain root-level access to affected systems without authentication. Tracked as CVE-2026-32746, this flaw represents one of the most severe remote code execution vulnerabilities disclosed this year, with security researchers warning that proof-of-concept exploits are already circulating in underground forums.

The vulnerability was discovered by security researchers at multiple organizations independently, indicating the flaw may already be under active exploitation in the wild. With telnet services still widely deployed across legacy infrastructure, industrial control systems, and network equipment, the potential impact spans critical industries worldwide.

What Happened

CVE-2026-32746 is a buffer overflowBuffer Overflow🛡️A vulnerability where a program writes data beyond the boundaries of allocated memory, potentially overwriting adjacent memory and allowing attackers to execute malicious code. vulnerability in the telnet daemon that allows remote, unauthenticated attackers to execute arbitrary code with root privileges. The flaw exists in the authentication negotiation phase of the telnet protocol implementation, specifically within the handling of IAC (Interpret As Command) sequences during the initial connection handshake.

The vulnerability occurs before any authentication checks are performed, meaning attackers can exploitExploit🛡️Code or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access. the flaw without valid credentials. This pre-authentication remote code execution vector makes CVE-2026-32746 particularly dangerous, as it requires no user interaction and can be exploited by any network-connected attacker who can reach the telnet service on TCP port 23.

Discovery Timeline

The vulnerability was first identified on January 15, 2026, when multiple security research teams independently reported anomalous behavior in telnetd implementations across different Unix-like operating systems. Initial reports came from:

ThreatWatch Labs, which discovered the vulnerability during routine security audits of legacy network infrastructure

The National Cyber Security Centre (NCSC), which observed active exploitation attempts against government systems

Independent security researcher Dmitri Volkov, who disclosed technical details through responsible disclosure channels

By January 18, 2026, proof-of-concept exploit code had been published to several security mailing lists, and by January 22, weaponized exploits were detected in multiple attack campaigns. The rapid progression from disclosure to active exploitation has prompted emergency security advisories from CISA, CERT/CC, and national cybersecurity agencies worldwide.

Technical Root Cause

The vulnerability stems from improper bounds checking in the `telnet_recv_subneg()` function, which processes telnet subnegotiation options. When processing specially crafted TERMINAL-TYPE or ENVIRONMENT option sequences, the daemon fails to validate the length of user-supplied data before copying it into a fixed-size stack buffer.

An attacker can send a malicious telnet option sequence containing more than 512 bytes of data, overflowing the buffer and overwriting adjacent memory regions, including the return address on the stack. By carefully crafting the overflow payload, attackers can redirect program execution to attacker-controlled shellcode, gaining immediate root-level access to the target system.

The vulnerability is particularly severe because:

**Pre-authentication exploitation**: No credentials required

**Remote network access**: Exploitable from any network location with connectivity to port 23

**Root privilege escalationPrivilege Escalation🛡️An attack technique where an adversary gains elevated access rights beyond what was initially granted.**: Direct execution as root/superuser

**Reliable exploitation**: Stack-based buffer overflow with predictable memory layout

**No user interaction**: Fully automated attack chain

Who Is Affected

The vulnerability affects a wide range of systems and platforms that implement or include the vulnerable telnetd code. Based on current analysis, the following are confirmed affected:

Operating Systems

Critical Priority (Confirmed Vulnerable):

GNU inetutils telnetd versions 1.9 through 2.5 (widely distributed across Linux distributions)

FreeBSD telnetd in versions 11.4, 12.0 through 12.4, and 13.0 through 13.2

NetBSD telnetd in versions 8.0 through 10.0

OpenBSD telnetd in versions 6.8 through 7.4 (patches released January 20, 2026)

Solaris 11.4 and earlier versions running default telnetd

AIX 7.1, 7.2, and 7.3 with telnetd service enabled

Under Investigation:

HP-UX 11i v3 and earlier

Various embedded Linux distributions (OpenWrt, DD-WRT, pfSense versions with telnetd enabled)

Legacy Unix systems (IRIX, Tru64, others)

Industries and Sectors

The following industries have been identified as particularly at risk due to widespread telnet usage in legacy infrastructure:

**Manufacturing and Industrial Control Systems**

SCADA systems using telnet for remote management

Programmable Logic Controllers (PLCs) with telnet interfaces

Industrial automation equipment

Factory floor control systems

**Telecommunications**

Network routers and switches with telnet management interfaces

Voice-over-IP (VoIP) systems

Legacy telecommunications infrastructure

Network access servers

**Healthcare**

Medical device management systems

Laboratory information systems

Radiology equipment with network interfaces

Legacy hospital information systems

**Energy and Utilities**

Power grid management systems

Oil and gas pipeline monitoring

Water treatment facility controls

Smart grid infrastructure

**Government and Defense**

Legacy military systems

Government agency networks with older infrastructure

Critical national infrastructure

Emergency services communication systems

Network Equipment

Numerous network equipment manufacturers have confirmed their products are affected when telnet services are enabled:

Cisco IOS devices (specific versions under investigation)

Juniper Networks equipment running Junos OS

Arista Networks switches with telnetd enabled

HPE/Aruba networking equipment

Various Chinese-manufactured network equipment with embedded telnetd

Embedded Systems

Embedded systems across multiple sectors are vulnerable, including:

IP cameras and surveillance systems

Network-attached storage (NAS) devices

Internet of Things (IoT) devices with telnet management

Building automation systems

Point-of-sale (POS) terminals

Technical Analysis

Vulnerability Mechanics

CVE-2026-32746 is a classic stack-based buffer overflow vulnerability with modern exploitation implications. The flaw exists in the subnegotiation processing code path that handles telnet option exchanges.

Vulnerable Code Path:

The vulnerable function `telnet_recv_subneg()` processes incoming telnet subnegotiation sequences using the following simplified logic:

``` char buffer[512]; int index = 0;

while (receiving_subneg_data) { buffer[index++] = read_byte(); // No bounds checking if (check_IAC_SE()) break; } ```

The absence of bounds checking on the `index` variable allows an attacker to write beyond the 512-byte buffer boundary. The vulnerable code exists in the authentication negotiation phase, specifically when processing:

TELOPT_TTYPE (Terminal Type Option - RFC 1091)

TELOPT_ENVIRON (Environment Option - RFC 1572)

TELOPT_NEW_ENVIRON (New Environment Option - RFC 1572)

Exploitation Technique

Successful exploitation follows this attack sequence:

1. **Initial Connection**: Attacker establishes TCP connection to port 23 2. **Option Negotiation**: Server sends IAC WILL/DO sequences for capability negotiation 3. **Subnegotiation Trigger**: Attacker sends IAC SB (subnegotiation begin) with ENVIRON option 4. **Overflow Payload**: Attacker transmits 600+ bytes of carefully crafted data 5. **Return Address Overwrite**: Payload overwrites saved return pointer on stack 6. **Shellcode Execution**: Control transfers to attacker's shellcode 7. **Root Shell**: Attacker obtains interactive root shell

CVSS v3.1 Score Breakdown:

**Base Score**: 9.8 (Critical)

**Attack Vector**: Network (AV:N)

**Attack Complexity**: Low (AC:L)

**Privileges Required**: None (PR:N)

**User Interaction**: None (UI:N)

**Scope**: Unchanged (S:U)

**Confidentiality Impact**: High (C:H)

**Integrity Impact**: High (I:H)

**Availability Impact**: High (A:H)

Exploitation Requirements

For successful exploitation, attackers need:

Network Requirements:

Network connectivity to TCP port 23 on target system

Ability to complete TCP three-way handshake

No requirement for IP source address spoofing

System Requirements:

Telnet service (telnetd) running and