Critical Unauthenticated Root RCE in GNU InetUtils telnetd (CVE-2026-32746) Threatens Network Devices
What It Is — A newly disclosed flaw in the GNU InetUtils telnet daemon (telnetd) permits an unauthenticated remote attacker to write out‑of‑bounds in the LINEMODE Set handling, leading to arbitrary code execution with root privileges.
Exploitability — The vulnerability is publicly disclosed, has a CVSS 9.8 (Critical) score, and proof‑of‑concept code has been released, indicating active exploitation potential.
Affected Products — Any Linux‑based system or network appliance that ships the default GNU InetUtils telnetd and leaves port 23 exposed, including routers, IoT gateways, legacy servers, and embedded devices.
TPRM Impact — Third‑party risk teams must treat this as a supply‑chain threat: compromised telnet services can be leveraged to pivot into critical internal networks, exfiltrate data, or disrupt services across multiple vendors.
Recommended Actions —
- Immediately disable telnet on all assets or restrict it to trusted management networks.
- Apply the upstream patch released by GNU InetUtils (or upgrade to a version ≥ 2.5‑release).
- Conduct a rapid inventory of all devices exposing port 23 and verify patch status.
- Deploy network‑level IDS/IPS signatures that detect the known exploit payloads.
- Review and harden remote access policies, enforcing SSH or VPN‑based management instead of telnet.
Source: The Hacker News