INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Critical Unpatched Telnetd Flaw Enables Root RCE via Port 23
| 2026-03-18 05:06 CRITICAL HIGHExecutive Summary AI-generated
The discovery of a critical security flaw in the Telnet service implementation through 2.7, affecting all versions worldwide, has raised concerns about potential exploitation by unauthenticated remote attackers to execute arbitrary code with elevated privileges. The vulnerability, tracked as CVE-2026-32746 and carrying a CVSS score of 9.8 out of 10.0, can be leveraged for post-exploitation actions such as data exfiltration and lateral movement. Researchers have disclosed the flaw nearly two months after another critical security flaw was reported in GNU InetUtils telnetd (CVE-2026-24061), which could also lead to remote code execution. A fix is expected by April 1, but active exploitation has already begun in the wild, with an unauthenticated attacker able to trigger it by connecting to port 23 and sending a crafted SLC suboption. To mitigate this risk, organizations are advised to disable Telnet service if not necessary, run telnetd without root privileges where required, block port 23 at the network perimeter and host-based firewall level, and isolate Telnet access.
Technical Mitigations AI-generated
* Disable Telnetd if not necessary: If telnetd is not required for system operations, consider disabling it to prevent unauthorized access.
* Run with root privileges only when necessary: Ensure that telnetd runs as root only when the specific service or process requires elevated privileges. This can be achieved by running telnetd without root privileges where required.
* Block port 23 at network perimeter and host-based firewall level: Block incoming connections to port 23 on both the network perimeter and host-based firewall levels to restrict access and prevent exploitation of this vulnerability.
* Isolate Telnet access: Isolate Telnet access by configuring firewalls, intrusion detection systems (IDS), or other security controls to block unauthorized access to telnetd.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-24061CVE-2026-24061
CVE-2026-32746CVE-2026-32746
Target & Sectors
Global Scope
Incident Timeline
March 19, 2015
Threat actors exploited a critical unpatched Telnetd flaw (CVE-2026-32746) in the 1.9.3 version of the software, which was introduced as part of a source code commit on March 19, 2015.
Click on any entity below to view its context and source!
infrastructure
1.9.3
Josefsson also noted that the vulnerability was introduced as part of a
source code commit
made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015.
May 12, 2015
Threat actors exploited a critical unpatched Telnetd flaw (CVE-2026-32746) in the 1.9.3 version of the software, which was introduced on March 19, 2015.
Click on any entity below to view its context and source!
infrastructure
1.9.3
Josefsson also noted that the vulnerability was introduced as part of a
source code commit
made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015.
January 19, 2026
Threat actors exploited a critical unpatched Telnetd vulnerability (CVE-2026-32746) to gain unauthorized access via port 23.
Jan 22, 2026
Threat actors exploited a critical unpatched Telnetd vulnerability (CVE-2026-32746) to gain unauthorized access via port 23.
Jan 22
Threat actors exploited a previously unknown vulnerability in the GNU InetUtils telnet daemon (telnetd) to gain unauthorized access via port 23.
Click on any entity below to view its context and source!
infrastructure
Linux
Ravie Lakshmanan
Jan 22, 2026
Vulnerability / Linux
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (
telnetd
) that went unnoticed for nearly 11 years.
organisation
Vulnerability / Linux
Ravie Lakshmanan
Jan 22, 2026
Vulnerability / Linux
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (
telnetd
) that went unnoticed for nearly 11 years.
January 26, 2026
Threat actors exploited a critical unpatched Telnetd flaw (CVE-2026-24061) to gain unauthorized access via port 23.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-24061
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Update
On
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Known Exploited
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
tactic
T1588.006 - Vulnerabilities
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
KEV
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Federal Civilian Executive Branch
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
FCEB
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
February 16, 2026
Threat actors used an unpatched Telnetd flaw to target the Federal Civilian Executive Branch (FCEB) via port 23.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-24061
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Update
On
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Known Exploited
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
tactic
T1588.006 - Vulnerabilities
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
KEV
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
Federal Civilian Executive Branch
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
attribution
FCEB
"
Update
On January 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-24061 to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
March 11, 2026
Threat actors exploited a critical unpatched Telnetd flaw in the Telnet service implementation through version 2.7 to gain unauthorized access via port 23.
Click on any entity below to view its context and source!
infrastructure
2.7
Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7.
source_region
Israel
Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7.
Mar 18, 2026
Threat actors exploited a critical unpatched Telnetd flaw (CVE-2026-32746) that enabled an Unauthenticated Root Remote Code Execution (RCE) attack via port 23.
Click on any entity below to view its context and source!
organisation
CVSS
The vulnerability, tracked as
CVE-2026-32746
, carries a CVSS score of 9.8 out of 10.0.
organisation
SLC
It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution.
18, 2026
Threat actors used a critical unpatched telnetd flaw to target vulnerable systems via port 23.
Click on any entity below to view its context and source!
organisation
Vulnerability / Data Protection
Cybersecurity
Ravie Lakshmanan
Mar 18, 2026
Vulnerability / Data Protection
Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
2026-03-18
Threat actors used the GNU InetUtils telnetd flaw to target systems with versions 1.9.3 or later, enabling unauthenticated root RCE via port 23.
Click on any entity below to view its context and source!
organisation
IP
All the IP addresses, which
originate
from Hong Kong, the U.S., Japan, the Netherlands, China, Germany, Singapore, and Thailand, have been flagged as malicious.
organisation
SSH
"Post-exploitation activities include system reconnaissance, SSH key persistence, and malware deployment attempts.
organisation
CVSS
The vulnerability, tracked as
CVE-2026-24061
, is rated 9.8 out of 10.0 on the CVSS scoring system.
infrastructure
1.9.3
It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.
infrastructure
2.7
It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.
organisation
Flaw Lets
Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access.
organisation
USER
"Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD).
organisation
the NIST National Vulnerability Database
"Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD).
organisation
NVD
"Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD).
organisation
GNU
In a
post
on the oss-security mailing list, GNU contributor Simon Josefsson said the vulnerability can be exploited to gain root access to a target system -
The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.
organisation
/usr/bin/login
In a
post
on the oss-security mailing list, GNU contributor Simon Josefsson said the vulnerability can be exploited to gain root access to a target system -
The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.
organisation
login(1
This happens because the telnetd server do [sic] not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.
organisation
InetUtils
As temporary workarounds, users can disable telnetd server, or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the '-f' parameter, Josefsson added.
"Analysis of the combined sessions reveals a coordinated exploitation campaign targeting Telnet services (TCP/23) using the Inetutils telnetd -f authentication bypass vulnerability," the company
said
.
infrastructure
21 unique IP addresses
Data gathered by threat intelligence firm GreyNoise shows that
21 unique IP addresses
have been observed attempting to execute a remote authentication bypass attack by leveraging the flaw over the past 24 hours.
April 1, 2026
Threat actors used a telnetd vulnerability (CVE-2026-32746) to exploit an unpatched flaw, enabling remote code execution as root via port 23.
Click on any entity below to view its context and source!
organisation
InetUtils
The disclosure comes nearly two months after another critical security flaw was disclosed in GNU InetUtils telnetd (
CVE-2026-24061
, CVSS score: 9.8) that could be leveraged to gain root access to a target system.
no later than April 1, 2026
Threat actors exploited a critical unpatched Telnetd flaw (CVE-2026-32746) to gain unauthorized access via port 23.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Ravie Lakshmanan
Jan 22, 2026
Vulnerability / Linux
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (
telnetd
) that went unnoticed for nearly 11 years.
Metrics
infrastructure
1.9.3
Software Version
It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.
Josefsson also noted that the vulnerability was introduced as part of a
source code commit
made on March 19, 2015, which eventually made it to version 1.9.3 release on May 12, 2015.
Metrics
infrastructure
2.7
Software Version
It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.
Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7.
Metrics
infrastructure
21
Unique Ip Addresses
Data gathered by threat intelligence firm GreyNoise shows that
21 unique IP addresses
have been observed attempting to execute a remote authentication bypass attack by leveraging the flaw over the past 24 hours.
Intelligence Sources
The Hacker News
2026-01-22
The Hacker News
2026-03-18
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:02
Comprehensive Tactical Telemetry
Highly Correlated Entities
15x
organisation
Identified Entity
IP
entity
14x
timeline
Temporal Reference
Jan 22, 2026
date
8x
source region
Origin Country
Hong Kong
country
8x
attribution
Attributing Entity
Update
On
authority
5x
tactic
Cyber Operation Type
Reconnaissance
tactic
2x
vulnerability
Exploited CVE
CVE-2026-24061
cve
2x
infrastructure
Software Version
1.9.3
version
Contextual Telemetry
Context Block
8 METRICS
infrastructure
Affected Product
Linux
software
general metric
Cve-2026
10
cve-2026
general metric
Version
3
version
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
infrastructure
Unique Ip Addresses
21
unique ip addresses
general metric
Past Hours
24
past hours
vulnerability
CVSS Score
10
score
general metric
Port
23
port
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.