Article

Alert: Critical GNU InetUtils Telnetd Vulnerability (CVE-2026-32746)

A critical vulnerability (CVE-2026-32746) in GNU InetUtils telnetd has been disclosed, allowing a remote attacker to bypass authentication mechanisms and achieve root remote code execution (RCE) via port 23, requiring no credentials, user interaction, or special network position.

Affected Systems:

GNU Inetutils telnetd versions through 2.7

Security Risks

Exploitation of the identified vulnerability may allow attackers to bypass authentication via exposed Telnet services and potentially gain unauthorized access, which could lead to data compromise, system modification and service disruption.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends that users and system administrators to:

Apply the latest GNU Project security patches for all affected versions (up to 2.7) as soon as they are released. The patches are expected to be available no later than April 1, 2026.
Disable the Telnet (telnetd) service immediately if it is not operationally required. Telnet transmits data in plaintext and should be replaced with SSH. Run telnetd with the least privileges possible (non-root) to reduce the potential impact of exploitation.
Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us at 9009.

References

26 March 2026

More updates

26 March 2026

Security Alert: Unauthenticated RCE in Oracle Identity Manager and Oracle Web Services Manager (CVE-2026-21992)

A critical security vulnerability has been identified in Oracle Identity Manager and Oracle Web Services Manager.

19 March 2026

Security Alert: Zimbra Collaboration Suite XSS Vulnerability Updates – March 2026

Zimbra has released security updates to address a vulnerability in the Zimbra Collaboration Suite.

11 March 2026

Alert: Microsoft Security Updates - March 2026

Microsoft released security updates in the March 2026 Patch Tuesday.

11 March 2026

Alert: Nginx UI (CVE-2026-27944) Security Updates – March 2026

A critical security vulnerability (CVE-2026-27944) has been discovered in Nginx UI.

A critical vulnerability (CVE-2026-32746) in GNU InetUtils telnetd has been disclosed, allowing a remote attacker to bypass authentication mechanisms and achieve root remote code execution (RCE) via port 23, requiring no credentials, user interaction, or special network position.

Affected Systems:

GNU Inetutils telnetd versions through 2.7

Security Risks

Exploitation of the identified vulnerability may allow attackers to bypass authentication via exposed Telnet services and potentially gain unauthorized access, which could lead to data compromise, system modification and service disruption.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends that users and system administrators to:

Apply the latest GNU Project security patches for all affected versions (up to 2.7) as soon as they are released. The patches are expected to be available no later than April 1, 2026.

Disable the Telnet (telnetd) service immediately if it is not operationally required. Telnet transmits data in plaintext and should be replaced with SSH. Run telnetd with the least privileges possible (non-root) to reduce the potential impact of exploitation.

Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us at 9009.

References

NVD: CVE-2026-32746 Detail

Tenable: CVE-2026-32746

Critical Unpatched Telnetd Flaw (CVE-2026-32746)

	info@ncsa.gov.rw
	9009 / 0781813310
	‎+250 791 445 224

A critical vulnerability (CVE-2026-32746) in GNU InetUtils telnetd has been disclosed, allowing a remote attacker to bypass authentication mechanisms and achieve root remote code execution (RCE) via port 23, requiring no credentials, user interaction, or special network position.

Affected Systems:

GNU Inetutils telnetd versions through 2.7

Security Risks

Exploitation of the identified vulnerability may allow attackers to bypass authentication via exposed Telnet services and potentially gain unauthorized access, which could lead to data compromise, system modification and service disruption.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends that users and system administrators to:

Apply the latest GNU Project security patches for all affected versions (up to 2.7) as soon as they are released. The patches are expected to be available no later than April 1, 2026.

Disable the Telnet (telnetd) service immediately if it is not operationally required. Telnet transmits data in plaintext and should be replaced with SSH. Run telnetd with the least privileges possible (non-root) to reduce the potential impact of exploitation.

Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us at 9009.

References

NVD: CVE-2026-32746 Detail​

Tenable: CVE-2026-32746​

Critical Unpatched Telnetd Flaw (CVE-2026-32746)

NVD: CVE-2026-32746 Detail

Tenable: CVE-2026-32746