A critical, unpatched vulnerability in GNU InetUtils telnetd — tracked as CVE-2026-32746 and scored 9.8 on the CVSS scale — allows any unauthenticated attacker to achieve root-level code execution on an affected system by sending a single malformed packet to port 23. No credentials. No user interaction. No login prompt. The attack fires before the server ever asks who you are. The underlying code that makes it possible is 32 years old.
Israeli cybersecurity firm Dream Security disclosed CVE-2026-32746 on March 18, 2026, after reporting the flaw to the GNU InetUtils security team on March 11. The advisory was assigned the internal identifier VULN-TELNETD-SLC-2025 and published publicly on March 13, 2026, with the oss-security mailing list post dated March 12. The vulnerability was discovered by the Dream Security Research Team: Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, and Daniel Lubel. The flaw affects every version of GNU InetUtils telnetd through 2.7 — the current release — and no patch exists at time of publication. The GNU maintainers have confirmed the finding, committed an upstream fix (commit 6864598a on Codeberg), and an official release is expected no later than April 1, 2026. Until then, organizations with any exposure to TCP port 23 are operating with an open window to complete system takeover.
What the Vulnerability Is and How It Works
CVE-2026-32746 is classified as CWE-120: a classic buffer overflow caused by copying input into a fixed-size buffer without checking whether that buffer is full. The specific location of the flaw is the add_slc() function inside telnetd/slc.c, which handles LINEMODE Set Local Characters (SLC) suboption negotiation during the Telnet protocol handshake. What makes this finding particularly striking is the age of the code: watchTowr Labs confirmed that the vulnerable logic traces back to 1994 — making this a 32-year-old bug that survived undetected across three decades of Linux distribution releases, embedded system builds, and security audits. The same year the film Hackers was released, this flaw was already quietly waiting in the codebase.
To understand why this matters, it helps to know what LINEMODE SLC negotiation actually does. When a Telnet client connects to a server, the two sides negotiate a set of options — things like character echoing, line editing behavior, and which key combinations map to control signals. SLC suboptions carry these key mappings as triplets: three bytes each representing a function code, a flag, and a value. The add_slc() function appends each incoming triplet to an internal buffer named slcbuf. The problem is that the buffer is fixed at 108 bytes, and the function never verifies whether there is still room before writing. An attacker sends the overflow as a standard Telnet suboption frame — IAC SB LINEMODE LM_SLC <triplets> IAC SE (bytes 0xFF 0xFA 0x03 ... 0xFF 0xF0) — containing triplets with function codes above 18 (the NSLC boundary). After approximately 35 such triplets, the write runs past the buffer boundary and into adjacent BSS segment memory, corrupting roughly 400 bytes of adjacent variables including the slcptr pointer that end_slc() later uses to finalize the negotiation. Once that pointer is under attacker control, the result is an arbitrary write primitive.
It is worth being precise about what that arbitrary write primitive means in practice. watchTowr Labs researchers McCaulay Hudson and Aliz Hammond, who published an independent analysis on March 19, 2026, noted that while the overflow reliably produces memory corruption, pointer leaks, and arbitrary writes, achieving stable remote code execution is "difficult and environment-specific." The exploit path depends on the memory layout of the specific binary and runtime, ASLR posture, and whether mitigations such as stack canaries or full RELRO are in effect. In environments with older kernel versions, embedded systems without modern binary hardening, or OT deployments running stripped-down Linux builds, the bar for full RCE is lower. In hardened modern environments, the overflow is still serious — memory corruption and pointer leaks alone have downstream implications — but successful code execution requires more work from the attacker. Hudson and Hammond also noted that corrupting slcptr frequently causes the server to return heap addresses within the SLC response itself, providing an information leak primitive that attackers can use to map the target address space before final payload delivery. The public PoC demonstrates the mechanics reliably; weaponizing it for guaranteed RCE across diverse targets is the harder engineering problem.
The critical detail is the timing regardless of exploit complexity: all of this happens during the option negotiation phase, which occurs immediately after TCP connection establishment and before the server presents any login prompt. The attacker never needs to know a valid username or password.
One historical footnote worth noting: watchTowr Labs identified CVE-2005-0469 as CVE-2026-32746's direct predecessor on the client side. That 2005 CVE was a buffer overflow in the Telnet client's slc.c handling — the same class of flaw, in the mirror-image component, where a function named slc_add_reply() was missing an identical bounds check. The fix applied in 2005 was, in watchTowr's words, "an identical bounds check patch to today's vulnerability." The fact that the client-side version was found and patched in 2005 while the server-side equivalent sat unnoticed for another 21 years is a measure of how rarely anyone audits legacy Telnet code. It also echoes CVE-2001-0554, a buffer overflow in BSD telnetd's telrcv() function from over two decades ago — a reminder that this codebase has a long history of memory-safety issues that were never comprehensively reviewed.
watchTowr Labs researchers McCaulay Hudson and Aliz Hammond emphasized the breadth of the problem, noting that the vulnerable code is present in a significant share of systems running any kind of Telnet server — making the blast radius "vast and somewhat difficult to estimate." — (The Hacker News, March 18, 2026)
Dream Security researcher Adiel Sol documented the attack path precisely in the public advisory: a connection to port 23 triggers the overflow during SLC negotiation, corrupting memory in a way that produces an arbitrary write primitive. Because telnetd runs as root under inetd or xinetd in standard deployments, a successful exploit yields a root shell before any login prompt is reached. The Dream Security team's advisory, cited by The Hacker News on March 18, 2026, confirmed there is no credential or interaction requirement — the exploit fires entirely in the pre-authentication handshake phase. (The Hacker News, March 18, 2026)
The advisory further establishes the minimal bar for exploitation: reaching port 23 is the only precondition. No credentials, user interaction, or special network position are required. In the language of the CVSS scoring system, that translates to Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None — hence the near-perfect 9.8 score. This maps directly to MITRE ATT&CK T1190 — Exploit Public-Facing Application, the canonical initial access technique for network-reachable service vulnerabilities of this class. For a parallel case study of pre-authentication remote code execution exploited by ransomware operators against network infrastructure, the Cisco FMC analysis covers how Interlock ransomware weaponized a similar attack surface within days of disclosure.
Public proof-of-concept code appeared on GitHub within hours of the advisory going public. The PoC, identified as jeffaf/cve-2026-32746, demonstrates both a non-destructive detection script and a crash-confirming exploit against a Dockerized Debian environment running inetutils-telnetd 2.4 under xinetd on port 2323. The technical description in that repository confirms the 108-byte buffer limit and the 40-triplet threshold at which overflow begins. In a separate analysis published March 19, watchTowr Labs also released a detection artifact that operates in a safe "probe mode" — connecting to a target, checking whether LINEMODE is advertised, and exiting without sending any overflow attempt. This makes it practical for defenders to scan legacy and OT-adjacent systems without risk of causing crashes SP 800-115. The public PoC and its derivatives will probe port 23 before they probe anything else T1595.001 — and the technical mechanics of the overflow are now widely understood and accessible, raising the probability that more targeted weaponized exploits will follow, particularly against OT and embedded environments where binary hardening is minimal.
As of March 20, 2026, no patched release of GNU InetUtils exists for CVE-2026-32746. The fix is expected by April 1, 2026. Until that release is confirmed and deployed, the only reliable protection is to disable telnetd entirely or block inbound access to TCP port 23 at the firewall level.
The Bigger Picture: A Second Telnetd Crisis in Eight Weeks
CVE-2026-32746 does not arrive in isolation. It follows a closely related, independently critical vulnerability in the same codebase that was publicly disclosed in January 2026 and is already being actively exploited in the wild.
That earlier flaw, CVE-2026-24061, was discovered by security researcher Kyu Neushwaistein (also known as Carlos Cortes Alvarez) and reported on January 19, 2026. It is a different class of bug — an argument injection vulnerability rather than a buffer overflow. It exploits how telnetd constructs the command line passed to /usr/bin/login. When a Telnet client sets the USER environment variable to the string -f root via the NEW_ENVIRON Telnet option, and telnetd inserts that value directly into the login command without validation, the resulting command becomes /usr/bin/login -h [hostname] -f root. The -f flag instructs login to skip authentication entirely and grant a shell to the named user. The result is instant root access without supplying any password. The flaw was introduced in a source code commit on March 19, 2015 and went undiscovered for nearly 11 years before Neushwaistein found it. CVE-2026-24061 carries the same CVSS 9.8 score as CVE-2026-32746 and affects GNU InetUtils versions 1.9.3 through 2.7.
add_slc() function is written as part of the GNU InetUtils telnetd LINEMODE SLC negotiation handler, inheriting code from the BSD telnetd codebase. The function copies incoming SLC triplets into a fixed-size buffer without bounds checking — a flaw that will remain undetected for 32 years.slc_add_reply() function, the mirror-image counterpart to add_slc() on the server side. The client fix is applied without checking whether the server-side function has the same omission. The server-side flaw persists for another 21 years./usr/bin/login. An attacker can set USER to -f root via the NEW_ENVIRON Telnet option, causing login to skip authentication entirely. This flaw goes undiscovered for nearly 11 years.add_slc() tracing to 1994. Discovered by a six-person research team (Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel). Public PoC code appears on GitHub within hours. No patch exists. The upstream fix commit (6864598a) is already merged to Codeberg but not yet in a release.6864598a. Debian's security tracker already records the fix in inetutils version 2:2.7-4 (unstable). Distributions including FreeBSD, NetBSD, Citrix NetScaler, and DragonFlyBSD will require their own independent patch releases — timeline unconfirmed.GNU InetUtils maintainer Simon Josefsson confirmed that telnetd passes the USER environment variable from the client directly to the login command. When an attacker supplies the value-f root, the server ends up invoking/usr/bin/loginwith a flag that instructs it to "skip[] normal authentication" and grant a root shell immediately. — Simon Josefsson, GNU InetUtils Maintainer (oss-security mailing list, January 20, 2026)
CISA added CVE-2026-24061 to its Known Exploited Vulnerabilities (KEV) catalog on January 26, 2026, requiring Federal Civilian Executive Branch agencies to apply mitigations by February 16, 2026. Threat intelligence firm GreyNoise confirmed active exploitation within days of disclosure, with 21 unique IP addresses observed attempting the authentication bypass attack. Those addresses originated from Hong Kong, the United States, Japan, the Netherlands, China, Germany, Singapore, and Thailand — a distribution consistent with coordinated scanning infrastructure rather than isolated opportunistic attempts.
The patch for CVE-2026-24061 was introduced in two commits to the InetUtils Codeberg repository (fd702c02 and ccba9f74). The fix rejects any USER value beginning with a dash character. A patched version, GNU InetUtils 2.7-2, was made available for Debian, Ubuntu, Kali Linux, and other affected distributions. Red Hat confirmed its supported products were not affected.
The significance of having two CVSS 9.8 flaws in the same daemon within two months of each other is hard to overstate. These are not related bugs — one is memory corruption dating to 1994 code, the other is argument injection introduced in 2015 — which means they represent separate code review failures across different eras in a service that has had known security problems for years. The pattern suggests that telnetd's attack surface is receiving increased scrutiny from both researchers and threat actors. For context on how attackers pivot once they have authenticated remote access to a system, the SSH hijacking analysis covers the session-level techniques that often follow initial access through legacy remote services.
Who Is at Risk and Where Telnet Still Lives
The reflexive assumption that "nobody runs Telnet anymore" is wrong in a meaningful subset of environments. Internet-wide scanning data tells a more uncomfortable story, and it is worth being precise about what that data shows. According to Censys data cited in The Hacker News's March 18, 2026 coverage, approximately 3,362 hosts running GNU InetUtils specifically were exposed on port 23 as of that date. The broader Telnet landscape is much larger — SafeBreach's January 2026 analysis of CVE-2026-24061 cited Shodan data showing approximately 212,000 devices globally running Telnet services, with Censys counting closer to one million hosts listening on port 23 overall. Not all of those run GNU InetUtils telnetd, but the scope of the GNU InetUtils-specific exposure alone represents a meaningful and concentrated attack surface for a pre-auth root RCE.
CVE-2026-32746 affects all versions of GNU InetUtils telnetd through 2.7, covering a version range that spans roughly a decade: 1.9.3, 1.9.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7. Confirmed affected Linux distributions include Debian, Ubuntu, Kali Linux, Trisquel, and SUSE Linux Enterprise Server 12 SP5-LTSS via its krb5-appl package. Beyond Linux, watchTowr Labs identified the same vulnerable code in FreeBSD 13 and 15, NetBSD 10.1, Citrix NetScaler, Apple Mac Tahoe, Haiku, TrueNAS Core, uCLinux, libmtev, and DragonFlyBSD — because the vulnerable slc.c logic has been copied across Telnet implementations for decades. CyCognito's exposure analysis found the vulnerability concentrated in Consumer Discretionary environments (50.7% of observed assets), with Industrials accounting for 16.3%, and smaller shares across Information Technology (7.1%), Consumer Staples (6.3%), and Energy (3.3%). Any embedded system, IoT device, or network appliance shipping GNU InetUtils telnetd at version 2.7 or earlier is in scope.
The environments where real risk concentrates are those where Telnet was never removed because removing it was never a priority — or never operationally possible. Industrial Control Systems (ICS) and Operational Technology (OT) networks are the clearest example SP 800-82r3. Dream Security's advisory noted that Telnet "remains particularly prevalent in Industrial Control Systems" and government networks where modernization cycles are slow. (Industrial Cyber, March 2026.) Programmable logic controllers, SCADA systems, and older network appliances frequently rely on Telnet as their exclusive remote management interface, and upgrading them is expensive, operationally disruptive, or simply not supported by the original equipment vendor. For defenders tracking how nation-state actors are actively targeting critical infrastructure across simultaneous fronts in 2026, the broader campaign context shows why unpatched legacy remote-access services are being prioritized as entry points.
Cybersecurity News described the OT consequence directly: a Telnet-enabled SCADA controller exposed to a network could be remotely compromised with a single connection T1059.004, potentially allowing attackers to manipulate physical processes such as power distribution or manufacturing operations. In ICS environments, initial access via a legacy remote service like Telnet is classified under ICS ATT&CK T0822 — External Remote Services, and post-compromise modification of control system firmware or logic falls under T0845 — Program Upload. For defenders managing OT environments, this is not a hypothetical. It is an incident-level risk that exists right now, without a patch to apply.
Exploitation Probability: EPSS, IPv6, and Internal Networks
CVSS 9.8 describes the severity of impact if the vulnerability is exploited. It says nothing about the probability of exploitation in the wild — that is EPSS territory. The Exploit Prediction Scoring System assigns a daily probability that a given CVE will be exploited within the next 30 days, based on signals including PoC availability, exploitation of related CVEs, and scanning activity. CVE-2026-32746 has public PoC code, a technically well-documented overflow mechanism, a related CVE already on CISA's KEV catalog, and a growing body of analysis from multiple research groups. All of those signals push EPSS probability upward, independent of CVSS score. Organizations prioritizing remediation by CVSS severity alone — which is a common mistake — will not capture how quickly this CVE is moving toward active weaponization. Check the current EPSS score for CVE-2026-32746 at first.org/epss before determining your remediation timeline.
A question the advisories do not address directly: does this vulnerability apply to IPv6 listeners? The CVSS vector specifies Attack Vector: Network, which means any network-reachable instance — IPv4 or IPv6. GNU InetUtils telnetd can be configured to listen on IPv6 interfaces, and many organizations apply IPv4 firewall rules without equivalent IPv6 rules, particularly on older Linux deployments where IPv6 was configured separately or left at defaults. Attackers enumerating network configuration to identify exposed services T1016 will find IPv6-bound telnetd instances just as readily as IPv4 ones. If your system has an IPv6 address and telnetd is bound to :: (all interfaces), blocking TCP port 23 in your IPv4 iptables rules alone is insufficient. Verify with ss -tlnp6 | grep ':23' and ensure IPv6-specific firewall rules — whether ip6tables rules or a unified nftables ruleset — explicitly block inbound port 23 on all interfaces. This is a gap that standard advisory guidance rarely calls out explicitly.
A second assumption worth challenging: the idea that internal-only Telnet services are safe. The CVSS AV:N classification means any attacker with network connectivity can reach the vulnerable service — and "network connectivity" includes internal corporate networks, VPN tunnels, cloud VPCs, and lateral movement from a previously compromised host. An attacker who has already established a foothold elsewhere in your environment can pivot to any telnetd instance reachable from that position, regardless of whether port 23 is exposed to the internet. Telnet services sitting behind a perimeter firewall but accessible from a flat internal network segment are not protected from an attacker who is already inside. Network segmentation — isolating any Telnet-dependent systems into dedicated management VLANs with restricted inter-segment routing — is the control that addresses this scenario, and it is worth applying even when internet exposure has been blocked.
What Happens After Root: Post-Exploitation Paths
The article has described how an attacker reaches root on a telnetd host. What happens next is a separate question, and it is one that most advisories skip entirely. Understanding the post-exploitation path matters because it determines both the incident response playbook and the downstream blast radius — which is often much larger than the initial access point implies.
A root shell on a telnetd host via CVE-2026-32746 gives an attacker the same access level as the service account running the daemon, which in default configurations is root. From that position, the immediate priorities for a capable attacker are persistence, credential harvesting, and lateral movement. For persistence, the attacker can install a cron job T1053.003, SSH authorized key T1098.004, PAM module backdoor, or a systemd unit T1543.002 that survives reboots. On embedded or OT systems where read-only root filesystems are not enforced, firmware modification is also possible. For credential harvesting, the compromised host's /etc/shadow T1003.008, any SSH private keys in home directories T1552.004, and any cleartext credentials that passed through the Telnet session itself T1040 (Telnet transmits everything in plaintext, including all authentication attempts) are immediately available. On a SCADA or ICS host, process historian credentials, engineering workstation credentials, and OT protocol authentication material may also be present.
Lateral movement from a Telnet host is where the incident scope typically expands T1021.004. Because Telnet is predominantly used in environments with older or simpler network architectures, the systems reachable from a compromised Telnet host tend to be high-value: engineering workstations, PLCs, historians, and management servers that control industrial processes. These environments frequently lack EDR coverage and rely on network segmentation that was designed for operational separation rather than attacker containment. A compromised GNU InetUtils telnetd host on a management VLAN is not a contained incident — it is a position from which an attacker can reach far more sensitive assets. Incident response for this CVE should assume the Telnet host is not the target; it is the entry point SP 800-61r2.
On standard Linux systems, defenders should look for these post-compromise indicators specifically: new SSH authorized keys added to ~root/.ssh/authorized_keys; new cron entries in /var/spool/cron/crontabs/root or /etc/cron.d/; new or modified systemd unit files in /etc/systemd/system/; unexpected entries in /etc/passwd or /etc/sudoers; and any binaries written to /tmp, /dev/shm, or other writable directories outside the normal package tree T1036. On auditd-instrumented systems, look for execve calls descending from the telnetd process tree at any time outside a normal authenticated session. Log tampering to cover these tracks maps to T1070.002 — check for gaps or truncations in /var/log/auth.log and /var/log/syslog as early indicators of post-exploitation cleanup.
Why 30 Years of Audits Missed This
The fact that a bounds-check omission in add_slc() went undetected from 1994 to 2026 — through dozens of Linux distribution releases, multiple CVE programs, and a large body of published Telnet security research — demands an explanation. The reason is not that the code was hidden or obscure. It is that Telnet was treated as a known-insecure, use-at-your-own-risk protocol for so long that nobody thought to audit it carefully for new classes of vulnerability. The security community wrote Telnet off as a threat model problem — "just don't use it" — rather than treating the deployed base as an asset requiring rigorous code review.
The 2005 client-side patch (CVE-2005-0469) makes this gap particularly striking. When slc_add_reply() in the Telnet client was found to be missing a bounds check, the fix was applied to the client. The server-side mirror function, add_slc(), was never checked for the same class of flaw. This is a well-documented failure pattern in security audits: fixes are applied locally to the reported location without asking whether the same assumption error exists elsewhere in the codebase. In a protocol implementation where client and server are closely symmetric — Telnet's negotiation is explicitly bidirectional — checking only one side is a systematic omission.
There is also a tooling gap. Static analysis tools like Coverity and CodeQL can identify missing bounds checks, but they require the codebase to be included in analysis scope. GNU InetUtils telnetd, as a legacy utility shipped in nearly every major Linux distribution, exists in a category of software that is distributed widely but audited rarely. The NIST Secure Software Development Framework (SSDF) SP 800-218 codifies practices like PW.7 (review and analyze human-readable code for security vulnerabilities) and PW.8 (test executable code for security vulnerabilities) that, had they been systematically applied to GNU InetUtils, would have been likely to surface the missing bounds check in add_slc(). Package maintainers apply upstream patches; they do not typically run independent static analysis passes on every package they ship. The code was present in millions of systems but effectively outside any active security review process. That combination — widespread deployment plus the assumption that legacy = abandoned = not worth auditing — is precisely the environment in which 32-year-old bugs survive.
The pattern is instructive for defenders: the highest-risk unaudited code in any environment is not the newest software, which attracts attention. It is the oldest software that is still running in production because it was never replaced. Telnet implementations, older SNMP stacks, legacy X.11 servers, and decade-old VPN daemon codebases all carry the same risk profile as add_slc(). The question worth asking in every organization is not "which new software do we need to patch?" but "which old software have we stopped thinking about?"
Mitigation Steps Until the Patch Arrives
Because no official patch is available as of this writing, every mitigation strategy currently available operates at the level of reducing exposure rather than eliminating the underlying flaw. The standard advisory guidance — disable the service, block the port — is necessary but insufficient for environments that cannot simply pull the plug on Telnet. The following covers both the baseline controls and the deeper technical mitigations that go well beyond what any published advisory has proposed, ordered from simplest to most surgically targeted.
Step 1: Disable the service or block the port
The first and most effective step is to disable telnetd entirely on any system where it is not strictly required for business operations SP 800-53 CM-7. If a system is running telnetd by default via inetd or xinetd without a specific operational reason, disabling the service removes the exposure completely. For environments where Telnet access cannot be removed, block inbound TCP connections to port 23 at both the network perimeter firewall and any host-based firewall SP 800-53 SC-7. This prevents the exploit from reaching the vulnerable code even if telnetd remains running. Network segmentation is the third layer: isolate any system that requires Telnet access so that it is reachable only from trusted management networks and not from broader enterprise segments or the internet. This pattern of network-level isolation as a compensating control while waiting for a vendor patch is not unique to this CVE — it is the same approach required for the HPE AOS-CX authentication bypass (CVE-2026-23813) and other critical pre-auth network vulnerabilities disclosed this month.
Step 2: nftables connection-rate limiting on port 23
Blocking port 23 entirely is the right answer when Telnet can be removed. Where it cannot, rate-limiting inbound TCP connections to port 23 at the kernel level addresses a specific weakness of memory-disclosure-based exploit chains: they require repeated connections to leak ASLR randomization, map the heap, and refine payloads across multiple attempts. An nftables ruleset that allows a small burst of connections per source IP but drops rapid reconnects prevents that iteration loop even if the initial overflow trigger lands. The following ruleset permits up to five connections per 60-second window from any single source, drops the sixth and beyond, and logs the drop for detection — without blocking legitimate administrative access from a known management workstation:
#!/usr/sbin/nft -f
# nftables: rate-limit port 23 connections per source IP
# Allows 5 connections per 60s burst; drops and logs excess.
# Apply with: nft -f /etc/nftables-telnet-ratelimit.conf
add table inet filter
add chain inet filter input { type filter hook input priority 0; policy accept; }
add rule inet filter input \
tcp dport 23 \
ct state new \
meter telnet_rate { ip saddr timeout 60s limit rate over 5/minute } \
log prefix "TELNET_RATELIMIT: " dropThis does not close the vulnerability — a patient attacker who space their connection attempts will still reach the overflow — but it substantially raises the cost of the iterative leak-and-refine approach that reliable RCE requires on hardened deployments. Combined with the detection note below, the rate-limit log entries themselves become a high-fidelity indicator of active exploitation targeting that host.
Step 3: TCP wrappers and pre-spawn connection filtering via inetd
Most advisories ignore the fact that on systems where telnetd runs under inetd or xinetd, a filtering layer exists before telnetd is ever invoked. The tcpd wrapper — which inetd calls transparently when tcp_wrappers support is compiled in — evaluates /etc/hosts.allow and /etc/hosts.deny before spawning the service binary. This means that a correctly configured TCP wrapper denies the connection at the inetd level, before GNU InetUtils telnetd is forked and before a single byte of Telnet negotiation is processed. The overflow in add_slc() cannot fire if telnetd is never spawned. On systems where ldd $(which telnetd) | grep libwrap returns a match, add the following to /etc/hosts.deny to block all sources not explicitly whitelisted, then populate /etc/hosts.allow with only the specific management host IPs that require access:
# /etc/hosts.deny — deny all telnetd connections by default
telnetd: ALL
# /etc/hosts.allow — permit only specific management IPs
# Replace with your actual management network CIDR
telnetd: 192.168.10.0/24
# Verify libwrap linkage before relying on this:
# ldd $(which telnetd) | grep libwrapThis approach works only when telnetd is compiled with libwrap support, which is the default in most distribution packages but not guaranteed in embedded or custom builds. Verify before relying on it. For xinetd deployments, the equivalent is the only_from directive in the service's xinetd configuration file, which xinetd evaluates before forking the service — achieving the same pre-spawn filtering effect without requiring libwrap.
Step 4: Privilege reduction for telnetd
Where telnetd must remain operational, running it with the lowest possible privileges — rather than as root — limits the impact of a successful exploit SP 800-53 AC-6. If an attacker achieves code execution under a reduced-privilege account, the path to full system compromise requires an additional local privilege escalation step, which adds friction even if it does not provide complete protection. Where the inetd wrapper supports it, launching telnetd under a dedicated low-privilege service account and applying a Linux capability set that grants only the specific capabilities needed (such as CAP_SETUID for user switching but not CAP_SYS_ADMIN) is a meaningful hardening step that few deployments have taken.
Step 5: seccomp-bpf syscall allowlist for telnetd
This is the mitigation that the advisories do not discuss but that provides the strongest post-exploit containment short of a full MAC policy. Linux's seccomp-bpf mechanism allows a process to install a Berkeley Packet Filter program that restricts which syscalls that process — and all its descendants — can invoke. If telnetd is wrapped with a seccomp profile that permits only the syscalls required for normal session operation (primarily read, write, socket, accept, fork, execve for /bin/login specifically, and a small set of signal and memory management calls) and denies everything else, then even a fully successful RCE exploit cannot invoke execve with an arbitrary payload, write to arbitrary paths, or load kernel modules. The attacker has root in memory but cannot do anything meaningful with it.
The practical approach is to use systemd's built-in seccomp support rather than a custom BPF program. Add the following to a systemd override for the inetutils-telnetd socket unit, which confines every telnetd process spawned from that socket to a predefined system call set:
# /etc/systemd/system/inetutils-telnetd.service.d/harden.conf
# Apply with: systemctl daemon-reload
[Service]
# Restrict to essential syscall groups only
SystemCallFilter=@system-service @network-io @process
SystemCallFilter=~@privileged @obsolete @raw-io @reboot @swap @module
# Block writes to common persistence paths
ReadOnlyPaths=/root/.ssh /etc/cron.d /etc/cron.hourly /etc/cron.daily
ReadOnlyPaths=/etc/systemd/system /etc/passwd /etc/shadow /etc/sudoers
# No new privilege escalation beyond what telnetd already has
NoNewPrivileges=no
# Prevent access to kernel tunables
ProtectKernelTunables=yes
ProtectKernelModules=yes
# Isolate /tmp from the rest of the system
PrivateTmp=yesThe ReadOnlyPaths directives are especially important: they surgically block every common persistence path an attacker would target post-exploit — SSH authorized_keys, cron jobs, systemd units, and the credential files — without affecting telnetd's normal operation. An attacker who achieves root via CVE-2026-32746 on a system with this override in place cannot write to any of those locations. The PrivateTmp=yes directive removes the shared /tmp as a staging area. This does not prevent every post-exploit action, but it eliminates the most common persistence and lateral movement preparation steps.
Step 6: AppArmor profile for telnetd
For distributions where AppArmor is the default MAC framework (Ubuntu, Debian, SUSE), a tight AppArmor profile provides a complementary layer to the systemd hardening above. Where the systemd override covers syscalls and mount visibility, an AppArmor profile governs file access paths, network capabilities, and execution rights at the LSM level — enforced by the kernel independently of whether systemd is running. Generate a base profile with aa-genprof telnetd, run a representative set of legitimate sessions to capture the access pattern, then tighten the resulting profile to deny writes outside /dev/pts/* and reads outside the specific paths telnetd requires. Critically, the profile should deny capability dac_override and capability dac_read_search — which are the capabilities that allow reading /etc/shadow and bypassing file permission checks — so even a root-context exploit cannot access credential files that the profile does not explicitly permit.
Step 7: Kernel namespace isolation for telnetd via a wrapper
The deepest available containment, short of a full VM boundary, is to run telnetd inside Linux kernel namespaces — specifically a mount namespace, user namespace, and PID namespace — so that a successful exploit yields a shell inside an isolated environment rather than on the bare host. The unshare utility ships with most Linux distributions and can wrap any inetd-invoked service. Replacing the telnetd invocation in /etc/inetd.conf or your xinetd configuration with an unshare wrapper creates a new mount, PID, and IPC namespace for each telnetd session:
# /etc/inetd.conf — replace telnetd line with namespaced wrapper
# Before:
# telnet stream tcp nowait root /usr/sbin/telnetd telnetd
# After (mount + pid + ipc namespace isolation):
telnet stream tcp nowait root /usr/bin/unshare \
unshare --mount --pid --ipc --fork /usr/sbin/telnetd
# The attacker who achieves RCE has root inside the namespace,
# not on the host. They cannot see host PIDs, cannot reach host
# mounts, and cannot communicate with host IPC objects.
# Escape requires a separate namespace breakout vulnerability.This is not a complete defense — a sufficiently motivated attacker with a kernel namespace escape can break out — but it turns a single CVE into a two-CVE problem, which is a meaningful raise in attacker cost. It also makes the exploit significantly easier to detect: the namespaced process has a different mount table from the host, so filesystem-level IOCs (unexpected writes to /etc, new entries in /root/.ssh) will not appear on the host even if the attacker believes they have succeeded.
Step 8: Network-level SLC payload inspection with Suricata
For defenders who have network-based IDS/IPS infrastructure, a Suricata rule that parses the raw Telnet negotiation byte stream and alerts or drops on SLC suboptions containing more than 35 triplets provides detection and blocking capability without touching a single affected host. The Telnet SLC suboption frame begins with bytes 0xFF 0xFA 0x03 (IAC SB LINEMODE LM_SLC) and ends with 0xFF 0xF0 (IAC SE). Each triplet is exactly 3 bytes. A payload of 36 or more triplets is 108 or more bytes of content between those delimiters — the exact overflow threshold. The following Suricata rule matches on the SLC suboption frame and fires when the content length exceeds 108 bytes, which is not reachable in any legitimate LINEMODE negotiation:
# Suricata rule: detect CVE-2026-32746 SLC overflow attempt
# Alert on Telnet LINEMODE SLC suboption exceeding safe triplet count
# Place in /etc/suricata/rules/cve-2026-32746.rules
alert tcp any any -> any 23 (
msg:"CVE-2026-32746 TELNETD SLC OVERFLOW ATTEMPT";
flow:established,to_server;
content:"|ff fa 03|"; # IAC SB LINEMODE LM_SLC
depth:3;
isdataat:109,relative; # payload exceeds 36 triplets (108 bytes)
content:!"|ff f0|"; # ensure IAC SE not within first 109 bytes
within:109;
classtype:attempted-admin;
sid:9002632746;
rev:1;
metadata:cve CVE-2026-32746,affected_product GNU_InetUtils_telnetd;
)To convert this from alert-only to blocking mode in an inline IPS deployment, change alert to drop. This rule operates entirely at the network layer — no agent, no host change, no service disruption — and can be deployed across all network segments where port 23 traffic is visible, including segments containing embedded OT devices that cannot be individually patched or hardened.
Step 9: Binary hardening audit
Run checksec --file=$(which telnetd) on every affected host to confirm the current state of stack canaries, ASLR, full RELRO, and NX/DEP SP 800-53 SI-10. Where the kernel supports it and telnetd is compiled without PIE support, recompiling with -fstack-protector-strong, -D_FORTIFY_SOURCE=2, and full RELRO linker flags is a concrete step that raises the attacker's cost significantly before the official patch arrives — even though it does not close the overflow itself. For embedded systems where recompilation is impractical, verify that ASLR is at least enabled at the kernel level via /proc/sys/kernel/randomize_va_space (value 2 for full randomization).
Step 10: Telnet protocol gateway / option negotiation sanitization
For environments where legacy OT devices or appliances require Telnet and cannot be reconfigured, a protocol-level gateway approach provides a layer of protection that firewall rules alone do not. Deploy a Telnet-aware proxy positioned between management workstations and the vulnerable Telnet endpoint that terminates the incoming TCP connection, performs its own Telnet option negotiation with the client, and strips or caps SLC suboptions before relaying the session to the backend. A proxy that refuses to relay LINEMODE SLC suboptions containing more than 35 triplets toward the backend effectively prevents the overflow from reaching the target — without requiring any change to the OT device itself. The proxy needs to handle both the initial WILL LINEMODE negotiation and the subsequent SB LINEMODE SLC data, either by negotiating LINEMODE off with the backend (DO NOT LINEMODE toward the server side) or by counting and truncating triplet payloads before forwarding.
Step 11: SSH migration for OT environments via serial-to-SSH conversion
For OT assets where Telnet is the only available remote management interface because the device predates SSH support, serial-to-SSH conversion appliances provide a migration path that does not require touching the firmware of the legacy device. Products such as Lantronix SLC 8000, Digi Connect IT, and similar console server appliances accept a serial or Telnet connection from the legacy device on their internal interface and expose an SSH service externally, encrypting the management traffic and shifting the authentication boundary to the conversion appliance. For ICS and OT environments where the underlying asset has a five-to-twenty year replacement cycle and cannot run SSH natively, this is a practical path to eliminating Telnet exposure without decommissioning critical infrastructure.
Step 12: SBOM audit for embedded telnetd instances
The watchTowr Labs analysis confirmed that the vulnerable slc.c code was copied into at least ten separate projects. The implication for organizations that manage OT firmware, network appliance images, or container base images is that telnetd exposure may not appear in a simple package scan — the vulnerable code may be present as a compiled binary inside firmware without any package manager record. Generating or updating a Software Bill of Materials (SBOM) for your OT firmware inventory and cross-referencing against the affected platforms list (FreeBSD 13/15, NetBSD 10.1, Citrix NetScaler, uCLinux, libmtev, DragonFlyBSD, Apple Mac Tahoe, Haiku, TrueNAS Core) is a necessary step to understand your actual blast radius SP 800-161r1. Tools such as syft and grype can generate and scan SBOMs for known CVEs; for firmware images where binary extraction is needed, binwalk followed by checksec on identified ELF binaries can confirm whether a telnetd binary derived from slc.c is present in a given firmware build. This matters especially because the vendor-specific patches for non-GNU-InetUtils platforms will arrive on independent timelines and will not be covered by the April 1, 2026 GNU InetUtils release.
Step 13: Deception layer on port 23
For environments that have already disabled or blocked telnetd but want early warning of reconnaissance or exploitation attempts, deploying a honeypot listener on TCP port 23 provides detection value that standard network logging alone does not. A low-interaction honeypot configured to accept TCP connections on port 23, log all incoming data including Telnet option negotiation packets, and alert on any incoming payload containing 40 or more SLC triplets gives defenders a tripwire specifically tuned to CVE-2026-32746 exploitation attempts. This is meaningful because the public PoC and its derivatives will probe port 23 before they probe anything else — and any connection attempt to a port 23 listener on a host where telnetd has been properly disabled is itself an indicator that an attacker is already targeting that network segment. The same honeypot approach, tuned to flag the -f root USER environment value, is effective as an early warning layer for CVE-2026-24061 scanning activity.
Step 14: Detection at the host level
For detection, defenders should monitor for inbound connections to TCP port 23 from unexpected sources and enable logging for those connections T1046 SP 800-53 AU-2/AU-12. Network intrusion detection systems with Telnet protocol decoding capability can be configured to flag LINEMODE SLC suboptions containing an unusually large number of triplets — specifically, payloads containing 40 or more function-code triplets during the option negotiation phase represent the exploitation pattern for CVE-2026-32746. The watchTowr Labs detection script probes for LINEMODE advertisement and exits without sending overflow data, making it safe for production and legacy systems. At the host level, any process spawning a shell (such as /bin/sh or /bin/bash) as a child of telnetd, inetd, or xinetd outside of a normal authenticated session should be treated as a high-confidence indicator of compromise. On systems running auditd, adding a rule to watch for execve syscalls by processes descended from the telnetd process tree is a reliable way to catch post-exploitation activity even if the overflow-to-RCE path was only partially successful SP 800-61r2. Also watch for any attempt to disable or flush firewall rules post-compromise T1562.004 — this is a common post-root step on Linux systems where the attacker wants to re-open access channels independently of the Telnet service.
# Disable telnetd via systemd
sudo systemctl stop inetutils-telnetd
sudo systemctl disable inetutils-telnetd
# Block port 23 with ufw
sudo ufw deny 23/tcp
# Block port 23 with iptables
sudo iptables -I INPUT -p tcp --dport 23 -j DROP
# Check if telnetd is listening
sudo ss -tlnp | grep ':23'As of March 20, 2026, CVE-2026-32746 does not appear in the CISA Known Exploited Vulnerabilities catalog, and no confirmed in-the-wild exploitation has been reported. However, public proof-of-concept code is available, technical details are widely circulated, and CVE-2026-24061 — a sibling vulnerability in the same daemon — is already confirmed as actively exploited. Treat any exposed telnetd instance as a critical risk regardless of KEV status.
Organizations should also check their software inventory against the full version range: GNU InetUtils 1.9.3 through 2.7. Package managers on Debian-based systems can report the installed version with dpkg -l inetutils-telnetd. Once the patch is released, applying it should be treated as an emergency change, not a routine update cycle. Organizations running FreeBSD, NetBSD, TrueNAS, or Citrix NetScaler should monitor their respective vendor advisories, as those implementations carry the same underlying flaw and will require their own patches independent of the GNU InetUtils release.
The Disclosure Timeline and What It Means
Dream Security reported CVE-2026-32746 to the GNU InetUtils security team on March 11, 2026 and published the advisory publicly on March 18 — a coordinated disclosure window of seven days. That is a notably short timeline for a pre-authentication critical vulnerability in widely deployed infrastructure, and it warrants some scrutiny.
Standard coordinated disclosure practice, as codified by organizations like CERT/CC and followed by vendors including Google Project Zero, typically targets a 90-day window from private report to public disclosure — with that period intended to give maintainers sufficient time to develop, test, and distribute a fix before technical details reach potential attackers. Seven days is well outside that norm, and no patch exists at the time of publication. The GNU InetUtils maintainers have confirmed the vulnerability and committed to a fix by April 1, 2026, but that means at least 13 days of public knowledge with no available remediation beyond disabling the service or blocking the port.
Dream Security's advisory does not explain the reasoning behind the compressed timeline. There are scenarios where an accelerated public disclosure is defensible: if evidence of in-the-wild exploitation existed prior to disclosure, if the maintainer was unresponsive, or if the researcher had specific intelligence that the vulnerability was already known to threat actors. None of those conditions are documented in the available public record for CVE-2026-32746. The closely related CVE-2026-24061 followed a more conventional timeline — reported January 19, disclosed January 20 — but that disclosure also preceded a patch and CISA's KEV listing followed within days of confirmed exploitation.
What this timeline means practically for defenders is that the public PoC, technical advisory, and exploit mechanics all circulated before any patch was available. The watchTowr Labs analysis was published on March 19, one day after the advisory, and includes enough technical detail that a skilled attacker can understand the exact overflow trigger without needing the PoC repository. The result is a known, pre-auth, root-level vulnerability with no fix and a shrinking window before weaponized versions appear. Organizations running telnetd in any capacity should treat the disclosure date — not the patch release date — as their countdown clock.
It is also worth asking whether the disclosure would look different if the affected software were a commercial product rather than an open-source daemon maintained by a small team of volunteers. Commercial vendors facing coordinated disclosure of a CVSS 9.8 pre-auth vulnerability would typically dedicate engineering resources to an emergency patch cycle and coordinate with CISA, major Linux distributions, and downstream vendors before the advisory went public. The GNU InetUtils maintainers are capable engineers, but they are not a security response organization. The compressed timeline may have created a gap that a more resource-intensive disclosure process would have avoided — and that gap is currently being absorbed by every organization waiting for the April 1 fix.
When the Patch Drops: What to Actually Do
The article's mitigation section focuses on what to do before a patch exists. But that answer changes the moment an official fix is released — and what you do in the first 24 hours after the patch drops matters as much as what you do now. A patch for a CVSS 9.8 pre-auth vulnerability is not a routine update. Treating it as one is itself a risk.
The expected fix is a bounds check on the number of SLC triplets processed by add_slc() — the function needs to verify that the buffer has room for each three-byte triplet before writing, and reject or truncate inputs that would exceed the buffer limit. The upstream fix is already committed: commit 6864598a in the GNU InetUtils Codeberg repository modifies add_slc() to enforce strict bounds checking on the slcbuf array. When the official release is announced, verify that the changelog explicitly references this commit or the add_slc() boundary fix in telnetd/slc.c. Debian's security tracker already records a fix in its unstable inetutils source package at version 2:2.7-4 referencing this upstream commit. If the release notes are vague or address a different function, hold off and verify with the advisory sources before deploying at scale. Patch authenticity matters: the official release will come from the GNU InetUtils repository on Codeberg or the GNU FTP mirrors. Do not deploy a patch sourced from anywhere else.
For Linux distributions, the patch will arrive as updated packages — expect inetutils-telnetd updates for Debian, Ubuntu, and Kali Linux, and separate packages for SUSE, Trisquel, and downstream derivatives. For FreeBSD, NetBSD, TrueNAS Core, Citrix NetScaler, and DragonFlyBSD, the fix will arrive through their independent release processes and on their own schedules. Do not assume that the GNU InetUtils fix covers these platforms. Monitor each vendor's security advisory channel separately, and do not re-enable telnetd on any of those systems until their specific patched release is confirmed.
Once the patched package is available, apply it on the same day. This is an emergency change, not a standard patch cycle SP 800-40r4. If your organization requires change management approval for patches, initiate that process now so that approval is not the bottleneck when the fix drops. After applying the patch, verify the installed version with dpkg -l inetutils-telnetd (Debian-based) or the equivalent for your distribution, and rerun the watchTowr Labs detection probe against any system you have patched to confirm the overflow trigger is no longer reachable. Then review your firewall rules — a patched system should still not have port 23 open to the internet. Port 23 exposure is a vulnerability even when the software is fully patched, because Telnet transmits all data including credentials in plaintext. The patch eliminates the pre-auth RCE; it does not make Telnet safe to run on an exposed port.
For cloud and container environments, the question is different in kind. If your organization builds container images that include GNU InetUtils, audit those images now. Many base images for Debian, Ubuntu, and related distributions ship inetutils-telnetd as a package even if it is not actively running — it may be present in an image layer without being enabled. An unpatched package in a container image is still in scope for this CVE if the package is installed and telnetd can be invoked. Run your container image scanning tooling against your registry after the patch is released and confirm that no images in production or staging carry the unpatched version SP 800-125Br1. This applies to CI/CD pipelines as well: if your build environment base image includes inetutils, rebuild from a patched base image promptly after the fix is available.
Key Takeaways
- The vulnerability fires before authentication: CVE-2026-32746 is triggered during Telnet option negotiation — before the server ever presents a login prompt. Any attacker who can reach TCP port 23 can trigger memory corruption without credentials. The full CVSS vector (
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) scores every network-accessibility and complexity dimension at maximum risk. - Reliable RCE is environment-dependent, but the threat is still critical: watchTowr Labs researchers McCaulay Hudson and Aliz Hammond confirmed that stable remote code execution is not guaranteed across all targets — it depends on binary hardening, ASLR, and memory layout. However, the overflow reliably produces memory corruption, pointer leaks (including heap address disclosure), and arbitrary writes. OT environments and legacy deployments without modern mitigations face the highest RCE risk.
- The upstream fix exists but no release had shipped as of March 20, 2026: Commit
6864598aon Codeberg adds bounds checking toadd_slc(). Debian records this in inetutils2:2.7-4(unstable). A full release is expected April 1, 2026. Until it is installed, firewall rules and service disablement are the only available protection. - The vulnerable code is 32 years old and present far beyond Linux: The flaw traces to 1994-era BSD telnetd source code. watchTowr Labs found the same vulnerable slc.c logic in FreeBSD, NetBSD, Citrix NetScaler, Apple Mac Tahoe, Haiku, TrueNAS Core, uCLinux, and DragonFlyBSD. NixOS, SUSE, and Trisquel are also affected. The blast radius is substantially wider than the GNU InetUtils advisory alone implies.
- Public exploit code is already available and the information leak primitive is documented: The PoC (jeffaf/cve-2026-32746) appeared within hours of the advisory. watchTowr Labs separately documented the heap pointer leak primitive — where corrupting
slcptrcauses the server to return internal addresses in the SLC response — which lowers the bar for building reliable RCE against specific targets. - GNU InetUtils telnetd has produced two CVSS 9.8 flaws in eight weeks: CVE-2026-24061, discovered by Kyu Neushwaistein and introduced via a 2015 commit, is already in CISA's KEV catalog and confirmed exploited with 21 unique attacker IPs observed by GreyNoise. CVE-2026-32746 is a completely separate flaw from 1994-era code discovered by the six-person Dream Security Research Team. Two critical vulnerabilities from two different eras of the same codebase within two months means this daemon is receiving serious adversarial attention right now.
- ICS, OT, and legacy environments carry the highest residual risk: Industrial and government environments where Telnet cannot be easily removed face a risk that cannot be fully mitigated until the patch is deployed. CyCognito data shows Consumer Discretionary (50.7%) and Industrials (16.3%) account for the largest share of exposed assets. Immediate network-level isolation of any Telnet-dependent assets is the most effective interim control.
- IPv6 listeners require explicit blocking: The CVSS AV:N scope covers both IPv4 and IPv6. Organizations that block port 23 in IPv4 firewall rules only, without checking whether telnetd is also bound to an IPv6 address, remain exposed. Verify with
ss -tlnp6 | grep ':23'. - Internal-only Telnet is not a safe assumption: An attacker with any internal network access — via lateral movement, VPN, or compromised cloud infrastructure — can reach a telnetd instance that is not internet-exposed. The initial Telnet host is rarely the final objective; it is the pivot point into OT networks, engineering workstations, and adjacent high-value systems.
- This vulnerability is a case study in legacy code review failure: The 2005 client-side patch (CVE-2005-0469) fixed the Telnet client's
slc_add_reply()without auditing the server-side mirror function. The lesson applies broadly: any codebase where "just don't use it" became the security posture, rather than rigorous review, is carrying similar unexamined risk.
MITRE ATT&CK Technique Reference
The following table maps the techniques observed across the full attack lifecycle for CVE-2026-32746 — from pre-exploitation reconnaissance through post-compromise persistence and lateral movement. ICS-specific techniques reference the MITRE ATT&CK for ICS matrix.
| Technique | Name | Tactic / Phase |
|---|---|---|
| T1595.001 | Active Scanning: Scanning IP Blocks | Reconnaissance |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | Execution |
| T1053.003 | Scheduled Task/Job: Cron | Persistence |
| T1098.004 | Account Manipulation: SSH Authorized Keys | Persistence |
| T1543.002 | Create or Modify System Process: Systemd Service | Persistence |
| T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | Privilege Escalation |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | Defense Evasion |
| T1036 | Masquerading | Defense Evasion |
| T1070.002 | Indicator Removal: Clear Linux or Mac System Logs | Defense Evasion |
| T1003.008 | OS Credential Dumping: /etc/passwd and /etc/shadow | Credential Access |
| T1552.004 | Unsecured Credentials: Private Keys | Credential Access |
| T1040 | Network Sniffing (Telnet cleartext capture) | Credential Access |
| T1046 | Network Service Discovery | Discovery |
| T1016 | System Network Configuration Discovery (IPv6 enumeration) | Discovery |
| T1021.004 | Remote Services: SSH (post-compromise lateral movement) | Lateral Movement |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T0822 | External Remote Services (ICS ATT&CK) | Initial Access — ICS |
| T0845 | Program Upload — firmware modification (ICS ATT&CK) | Lateral Movement — ICS |
| Publication | Title / Relevance | Applied To |
|---|---|---|
| SP 800-53r5 | Security and Privacy Controls — CM-7 (Least Functionality), SC-7 (Boundary Protection), AC-6 (Least Privilege), SI-2 (Flaw Remediation), SI-10 (Input Validation), AU-2/AU-12 (Event Logging) | Mitigation & Detection |
| SP 800-40r4 | Guide to Enterprise Patch Management Planning — emergency patching prioritization, change management workflows | Patch Response |
| SP 800-61r2 | Computer Security Incident Handling Guide — post-exploitation detection, IOC identification, scope containment | Incident Response |
| SP 800-82r3 | Guide to Operational Technology Security — ICS/SCADA Telnet risk, OT network segmentation, legacy device mitigations | OT / ICS Risk |
| SP 800-115 | Technical Guide to Information Security Testing and Assessment — safe use of detection scripts, vulnerability scanning methodology | Detection & Testing |
| SP 800-161r1 | Cybersecurity Supply Chain Risk Management — SBOM generation, firmware supply chain exposure, third-party component risk | Supply Chain / SBOM |
| SP 800-218 | Secure Software Development Framework (SSDF) — PW.7/PW.8 code review and testing practices that would surface missing bounds checks | Root Cause / SSDF |
| SP 800-125Br1 | Secure Virtual Network Configuration for Virtual Machine Protection — container image scanning, CI/CD pipeline security | Container / Cloud |
The sources for this article include the Dream Security vulnerability advisory VULN-TELNETD-SLC-2025 (March 13, 2026), the Hacker News report on CVE-2026-32746, the Industrial Cyber analysis, the watchTowr Labs technical analysis by McCaulay Hudson and Aliz Hammond (March 19, 2026), the Censys advisory (March 18, 2026), the oss-security mailing list disclosure (March 12, 2026), the SafeBreach root cause analysis of CVE-2026-24061, the CISA KEV catalog entry for CVE-2026-24061, and the Orca Security analysis of CVE-2026-24061. The upstream fix is tracked at commit 6864598a in the GNU InetUtils Codeberg repository. The public PoC for CVE-2026-32746 is available at github.com/jeffaf/cve-2026-32746. For context on other critical pre-authentication network vulnerabilities active in the same period, see the BeyondTrust CVE-2026-1731 analysis and the FortiOS CVE-2024-55591 authentication bypass covered elsewhere on NoHackie.