Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE

In recent weeks, cybersecurity has stood on the edge of an abyss. The CVE-2026-32746 vulnerability in the GNU InetUtils telnetd daemon is not an ordinary vulnerability — it is a time bomb that anyone with internet access can detonate without any password. Attackers gain instant access with root privileges, and the system has no chance to defend itself. With a CVSS score of 9.8 out of 10.0, this flaw ranks among the most dangerous threats in the history of network security. The problem is that telnetd continues to lurk in infrastructures around the world — in routers, legacy servers, industrial systems — where administrators have forgotten it exists at all.

This is not an abstract threat for the future. Attacks on this vulnerability are already beginning. Hackers are not waiting for a patch, because it simply does not exist — or is unavailable for millions of devices that will never be updated. For Polish companies that still rely on older network infrastructures, this means a concrete threat. Every server with telnetd enabled is a potential entry point for cybercriminals. Any attacker can take control of critical systems without the slightest effort.

Anatomy of a catastrophe: What exactly went wrong in telnetd

Out-of-bounds write in LINEMODE Set is not a programmer's random mistake. It is a systematic flaw in the way the telnetd daemon handles incoming packets from the network interface. The TELNET protocol, despite being over forty years old, still contains complex negotiation and control mechanisms — LINEMODE is one of them, allowing the client more advanced text editing before sending to the server.

The vulnerability lies in the fact that the telnetd code does not properly check buffer boundaries when processing special LINEMODE commands. An attacker can send a specially crafted network packet that forces the daemon to write data outside the allocated memory area. This is not a typical buffer overflow — it is a precise attack that allows overwriting critical data structures, including function pointers or permission variables. The result? Code executed with root privileges, without any authorization.

What makes this particularly dangerous is that many embedded systems — from older Cisco routers to industrial PLC controllers — still use versions of GNU InetUtils that contain this vulnerability. Equipment manufacturers do not update software for years. Users do not know that telnetd is there at all. Network security has become an invisible time bomb ticking somewhere in the background of infrastructure.

Why telnetd still lives in 2026

This is a question that should concern every CIO. SSH killed Telnet twenty years ago. Every security guide for a decade has said: disable telnetd, use SSH. Yet the daemon still sits in systems, often enabled by default, waiting for an attacker. Why?

First: backward compatibility. Old scripts, old tools, old operational procedures — all assume telnetd will be available. Rewriting them costs money. Second: lack of awareness. The administrator does not know telnetd is there. Does the router have telnetd? Unknown. Does that industrial PLC have telnetd? Probably, but who will check? Third: devices that do not update. Millions of embedded devices will never receive a patch. Their manufacturers went out of business, withdrew from the market, or simply do not see the point in issuing updates for a device sold ten years ago.

In Poland, the problem is particularly acute in the energy, manufacturing, and critical infrastructure sectors. These industries operate on the principle: if it works, do not touch it. SCADA systems that control power plants or water treatment stations may have telnetd from the days when George W. Bush was president. No one has updated them, because the fear of downtime was greater than the fear of being hacked.

Paradigm shift: From VPN to zero trust network access

CVE-2026-32746 is a shock to the entire industry, but also a catalyst for long-awaited transformation. For decades, the network security model was based on the assumption: if you are on the corporate network (or connected via VPN), you are trusted. This assumption lies in ruins. Telnetd in a router, SSH with a weak password, an unpatched vulnerability in an application — all of this means you are on the network, but you are not safe at all.

The Zero Trust Network Access (ZTNA) model says: trust no one, nowhere, never. Instead of a VPN that grants access to the entire network, a user gains access only to the specific application they need. The connection is encrypted, authenticated, and every action is logged. An attacker, even if they compromise telnetd, will not have access to the entire network — they will only have access to what they managed to compromise.

For Polish companies, this means a concrete change in infrastructure. Instead of traditional VPN with Fortigate or Cisco, solutions such as Cloudflare Zero Trust, Palo Alto Networks Prisma Access or Okta Identity Cloud are being implemented. There is no longer an "internal network" — there is only a connection between the user and the application. Telnetd can be enabled on every router, and an attacker will not have access anyway, because their network traffic will be blocked at the ZTNA level.

Practical consequences for Polish business

If you run a company with network infrastructure older than five years, you should be concerned. CVE-2026-32746 is not just a theoretical threat. Exploits are already on the internet. Botnets can scan your devices looking for open port 23 (the default telnetd port) and attempt an attack. If you have an older router, a PLC in a factory, or a legacy server with telnetd enabled — you may already be under attack.

The first line of defense is a simple thing: disable telnetd everywhere. Go through every device on your network and check if telnetd is enabled. If it is — disable it. If the device has no interface to disable telnetd (older routers), replace it with a new one. This sounds drastic, but it is the only sure defense for devices you cannot update.

Second line: network segmentation. If you have devices you cannot disable or update, place them in a separate network, isolated by a firewall. A router with telnetd should not be directly accessible from the internet. It should be accessible only from an internal administrative network, and only through a VPN with multi-factor authentication.

Third line: monitoring and detection. Deploy tools that will monitor connection attempts on port 23. Every connection to telnetd should trigger an alert. In Poland, where many companies still do not have an advanced SOC (Security Operations Center), this can be a challenge — but tools such as Wazuh or Suricata are open source and free.

Why VPN alone is no longer enough

Here we need to be honest: traditional VPN gave us a sense of security that was largely illusory. An administrator configures VPN, a user connects, and suddenly they have access to the entire corporate network. File servers, databases, printers, routers — everything. This was convenient. It was also dangerous.

CVE-2026-32746 illustrates this perfectly. An attacker, if they compromise telnetd on a router, can move laterally across the entire network. They can find a file server with customer data. They can find a database server. They can find other devices with similar vulnerabilities. The entire network becomes their playground.

Zero Trust Network Access changes this dynamic. Instead of granting access to the entire network, you grant access to a specific application. A developer gets access only to the code repository and CI/CD server. An HR employee gets access only to the HR system. No one has access to the entire network. No one can move laterally, because there is simply nowhere to move to.

This requires a change in thinking. Instead of the question "how to secure the network?", you ask "how to secure access to the application?". This question leads to completely different solutions. Instead of a firewall, you have an authentication gateway. Instead of VPN, you have an application proxy. Instead of "you are on the network, so you are trusted", you have "you are trusted only to this specific application, and only if you pass multi-factor authentication".

Technical details of ZTNA that Polish administrators should know

If you are wondering how specifically ZTNA protects against vulnerabilities like CVE-2026-32746, here are the details. ZTNA is based on several key components:

• Identity verification — every access request must be preceded by user authentication, usually with multi-factor authentication. An attacker, even if they compromise telnetd, will not have an identity to log in with.
• Device posture checking — the system checks whether the user's device meets security requirements. If a laptop does not have antivirus installed or does not have the latest patches — access is blocked.
• Application-level access — access is not granted to the entire network, but to a specific application. A router with telnetd is not accessible to the user, because there is simply nowhere to access it from.
• Encrypted tunneling — all traffic is encrypted end-to-end. Even if an attacker compromises a router, they will not be able to intercept traffic from other users.
• Continuous monitoring — every session is monitored in real-time. Suspicious activity triggers automatic access blocking.

For a network administrator in Poland, this means concrete steps. The first thing: audit your current solutions. Are you using traditional VPN? Do employees have access to the entire network? If yes — that is a risk. The second thing: choose a ZTNA platform. Cloudflare Zero Trust is an option for smaller companies — simple, inexpensive, quick to implement. Palo Alto Networks Prisma Access is an option for large enterprises — more advanced, more expensive, but with greater control. Okta is a solution more focused on identity management, but with good integration with SaaS applications.

Eliminating lateral movement: The ultimate defense

CVE-2026-32746 is a perfect example of an attack that relies on lateral movement. An attacker compromises telnetd on a router, then tries to move to other systems on the network. In a traditional corporate network, this would be easy — all systems can see each other, everything is on the same subnet, everything can communicate with everything.

ZTNA eliminates this possibility through microsegmentation. Every device, every server, every application is isolated. Communication between them occurs only through the ZTNA gateway, which verifies every request. A router with telnetd can be attacked, but the attacker will not have access to the database server, because there is no direct network communication between them.

This requires a change in network architecture, but the effects are dramatic. Instead of one point of threat (a router with telnetd), you have hundreds of points of threat, but each is isolated. An attacker compromises one system, but cannot move further. This changes the entire dynamics of the attack.

In the Polish context, this means that companies that implement ZTNA will be much better protected against attacks on legacy infrastructure. An old router with telnetd? Let it be. It will be attacked, but the attacker will not have access to anything beyond the router. This is not an ideal situation, but it is much better than the current state of affairs, where compromising a router means compromising the entire network.

Practical implementation steps for Polish companies

If you are a CISO at a Polish company reading this, here is a concrete action plan. First: immediate audit. Go through all your infrastructure and check where telnetd is enabled. Use nmap, Shodan, or simply log into each device and check. Within a week you should have a complete picture.

Second: disable telnetd everywhere possible. If a device has an administrative interface, disable telnetd. If a device does not update and has no interface to disable telnetd, replace it. This may be financially painful, but it is less painful than ransomware.

Third: plan ZTNA implementation. This is not a quick project. It can take months. But it is an investment that will pay for itself many times over in the form of reduced security risk. Start with a pilot — choose one group of users, one application, and implement ZTNA for them. Learn how it works, what problems arise. Then scale.

Fourth: deploy monitoring and detection. Even if you do not have ZTNA, you should monitor connection attempts to telnetd. Every connection should trigger an alert. In Poland, where many companies do not have a dedicated SOC, consider outsourcing — a Managed Security Service Provider (MSSP) can do this for you.

CVE-2026-32746 is not a problem that will disappear. Telnetd will be attacked. But with the right plan, with ZTNA implemented and monitoring in place, you can turn this from a catastrophe into a minor incident. The time to act is now.