CVE-2026-32746: 32-Year-Old Telnetd Bug Gives Attackers Root Access — Why Saudi Financial Infrastructure Must Act Now

A vulnerability that has silently lived inside GNU InetUtils telnetd for over three decades is now a confirmed CVSS 9.8 critical threat. CVE-2026-32746 allows any unauthenticated remote attacker to execute arbitrary code as root through TCP port 23 — before the login prompt even appears. For organizations still running Telnet in production, including banks and financial institutions with legacy ICS and OT infrastructure, the window to act is closing fast.

What Is CVE-2026-32746 and Why Does It Matter?

Discovered by Israeli cybersecurity firm Dream Security and publicly disclosed on March 11, 2026, CVE-2026-32746 is a classic buffer overflow (CWE-120) in the LINEMODE Set Local Characters (SLC) suboption handler of the GNU InetUtils telnet daemon. The add_slc function fails to verify whether the destination buffer is full before writing additional data. An attacker exploits this by sending a specially crafted packet during the initial Telnet negotiation handshake — no credentials required, no user interaction needed.

The vulnerability affects all versions of GNU InetUtils telnetd through version 2.7. A proof-of-concept exploit is publicly available, and security researchers at watchTowr Labs have published a detailed technical analysis confirming reliable exploitation. The GNU project committed a patch expected to land by April 1, 2026, but downstream distribution timelines vary — meaning many systems will remain unpatched for weeks or months.

The ICS and OT Exposure Problem

Most modern enterprise networks retired Telnet years ago in favor of SSH. But Telnet is far from dead. It persists in operational technology (OT) environments, industrial control systems (ICS), SCADA networks, legacy networking equipment, and embedded devices where firmware updates are rare or impossible. Aging programmable logic controllers (PLCs), building management systems, and ATM management interfaces frequently use Telnet as their sole remote management protocol.

This creates a particularly dangerous scenario: the same devices that are hardest to patch are the ones most exposed to CVE-2026-32746. In Saudi financial institutions, branch network equipment, ATM infrastructure, and facilities management systems often fall into this category. An attacker who gains root access to one of these devices can pivot laterally into the broader corporate network, intercept unencrypted data streams, or disrupt physical operations.

Dream Security's advisory specifically flagged the risk to critical infrastructure including power grids, water treatment facilities, and manufacturing environments. For the Saudi financial sector, the parallel risk extends to payment processing infrastructure, data center environmental controls, and branch networking equipment that may still expose port 23.

Impact on Saudi Financial Institutions Under SAMA and NCA Oversight

The SAMA Cyber Security Common Controls (CSCC) framework is explicit about vulnerability management obligations. Domain 3 (Cyber Security Operations and Technology) requires institutions to maintain asset inventories that include OT and legacy systems, perform continuous vulnerability scanning, and remediate critical vulnerabilities within defined SLAs. A CVSS 9.8 vulnerability with a public exploit and no authentication requirement falls squarely into the "immediate remediation" category.

The NCA Essential Cybersecurity Controls (ECC) reinforce this with requirements for network segmentation between IT and OT environments (ECC 2-2), access control enforcement on management interfaces (ECC 2-3), and incident detection capabilities that cover legacy protocols (ECC 3-1). Organizations that have not inventoried their Telnet-exposed assets are likely non-compliant with both frameworks right now.

Additionally, SAMA's Technology Risk Management guidelines require financial institutions to maintain secure configurations for all network-accessible services. Running an unpatched Telnet daemon on any production asset — whether it is a core banking server or a branch router — represents a configuration that no risk register should accept without compensating controls and a documented remediation timeline.

Why This Vulnerability Is Especially Dangerous

Several factors combine to make CVE-2026-32746 unusually threatening. First, the attack surface is broad: Shodan scans consistently show thousands of Telnet services exposed directly to the internet, and internal network scans in enterprise environments typically reveal many more. Second, exploitation is trivial — it occurs during the protocol handshake before any authentication, meaning network-level access to port 23 is the only prerequisite. Third, successful exploitation yields root-level code execution, the highest possible privilege on a Unix-based system.

Fourth, and most critically for the financial sector, this vulnerability arrived just weeks after CVE-2026-24061 — another CVSS 9.8 flaw in the same GNU telnetd codebase — was confirmed under active exploitation in the wild. The pattern suggests that threat actors are actively probing for Telnet services, and the availability of a public PoC for CVE-2026-32746 makes mass exploitation a matter of when, not if.

Recommended Mitigation Steps

1. Conduct an emergency asset discovery for Telnet services. Run internal network scans targeting TCP port 23 across all segments, including OT/ICS zones, branch networks, and data center management VLANs. Tools like Nmap, Tenable, or Qualys can identify exposed services within hours. Every discovered instance must be logged in your CMDB and risk register.
2. Disable Telnet where operationally feasible. For any system that supports SSH or an alternative encrypted management protocol, disable the Telnet daemon immediately. This is the most effective mitigation and should be the default action for IT infrastructure.
3. Apply strict network segmentation for systems that cannot migrate. For legacy PLCs, embedded devices, and equipment where Telnet removal is not possible, implement firewall rules that restrict port 23 access to specific management jump hosts only. No Telnet service should be reachable from general-purpose network segments.
4. Deploy network-level detection rules. Configure your IDS/IPS and SIEM to alert on anomalous Telnet negotiation patterns, particularly oversized LINEMODE SLC option payloads. Suricata and Snort signatures for CVE-2026-32746 are already available from multiple threat intelligence feeds.
5. Patch when available and track downstream distribution. Monitor your Linux distribution vendor (Red Hat, Ubuntu, SUSE) for the backported fix. Apply it through your standard patch management cycle, but escalate the SLA to match the CVSS 9.8 severity. For custom-compiled installations, pull the fix directly from the GNU InetUtils repository.
6. Document compensating controls for your regulator. If Telnet cannot be removed or patched within your standard SLA, document the compensating controls (segmentation, monitoring, access restrictions) in your risk register and ensure your SAMA examiner has visibility into the remediation timeline.

Conclusion

CVE-2026-32746 is a stark reminder that legacy protocols carry compounding risk. A 32-year-old bug in a protocol most security professionals consider obsolete now threatens root-level compromise of critical infrastructure. For Saudi financial institutions, the combination of regulatory obligations under SAMA CSCC and NCA ECC, the prevalence of legacy OT systems, and the trivial exploitation path makes this vulnerability an urgent priority — not a backlog item.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes OT/ICS asset discovery and legacy protocol risk analysis.