CVE-2026-32746: A 32-Year-Old Telnetd Bug Now Threatens Saudi Financial Infrastructure

CISA has added CVE-2026-32746 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of a buffer overflow buried in the GNU InetUtils telnet daemon for over three decades. With a CVSS score of 9.8, the flaw allows unauthenticated remote code execution with root privileges — no credentials, no user interaction, just a single crafted packet sent to port 23. For Saudi financial institutions running affected appliances, this is a patch-or-perish moment.

Inside CVE-2026-32746: How a 32-Year-Old Bug Became a Critical Threat

Israeli cybersecurity firm Dream Security disclosed CVE-2026-32746 on March 11, 2026, after discovering that every version of GNU InetUtils telnetd through 2.7 carries a fatal flaw in its LINEMODE Set Local Characters (SLC) suboption handler. The add_slc() function writes three bytes per SLC triplet into a fixed 108-byte buffer called slcbuf without performing any bounds checking. After just 35 triplets with function codes greater than 18, the write exceeds the buffer boundary and corrupts adjacent memory — including a pointer that attackers can hijack for an arbitrary write primitive.

What makes this vulnerability exceptionally dangerous is its exploitation timeline. Researchers at watchTowr Labs published a detailed technical walkthrough showing that exploitation occurs during the initial connection handshake — before any authentication prompt appears. The attack surface is as simple as an open port 23. According to Censys data from March 18, 2026, approximately 3,362 hosts remain publicly exposed, and threat actors began probing vulnerable endpoints within days of disclosure.

Affected Systems: Far Beyond Legacy Servers

The blast radius of CVE-2026-32746 extends well beyond old Unix boxes running telnetd. The vulnerable code is embedded in a wide range of platforms that financial institutions commonly deploy: FreeBSD and NetBSD-based network appliances, Citrix NetScaler (already under siege from CVE-2026-3055), TrueNAS Core storage systems, Synology DSM network-attached storage, and various embedded systems running uCLinux. Organizations that assume "we don't use Telnet" may be surprised to find the daemon enabled by default on appliances they never audited at the service level.

CyCognito's analysis highlights that many of these affected devices sit in network segments that handle sensitive financial data — backup storage arrays, load balancers, and management interfaces for core banking infrastructure. A compromised appliance in any of these positions gives an attacker a privileged foothold for lateral movement across the entire network.

Impact on Saudi Financial Institutions Under SAMA and NCA Oversight

For organizations regulated by the Saudi Central Bank (SAMA), CVE-2026-32746 directly intersects with multiple domains of the SAMA Cyber Security Control Compendium (CSCC). The Vulnerability Management controls (Section 3.3.6) mandate that critical vulnerabilities with active exploitation evidence be remediated within defined SLAs — typically 48 to 72 hours for CVSS 9.0+ findings. The Network Security controls (Section 3.3.3) require organizations to disable unnecessary network services and protocols, with Telnet explicitly called out as a legacy protocol that should be replaced by encrypted alternatives like SSH.

The NCA Essential Cybersecurity Controls (ECC) reinforce this through control ECC-2:4-3, which requires continuous vulnerability assessment and timely patching of internet-facing and critical infrastructure components. Additionally, the NCA's Operational Technology (OT) cybersecurity framework places specific emphasis on securing management interfaces of industrial and network equipment — precisely the attack surface that CVE-2026-32746 targets.

Under PDPL (Personal Data Protection Law), a breach resulting from failure to patch a known, actively exploited vulnerability could constitute regulatory negligence, exposing the institution to penalties and mandatory breach notification requirements that took effect in September 2025.

Why Standard Patching Won't Be Enough

Here's the operational challenge: as of March 31, 2026, no official patch exists for the upstream GNU InetUtils package. Dream Security reported the flaw on March 11, and a fix is expected no later than April 1, 2026. Some downstream vendors like Synology and FreeBSD have issued or are preparing independent patches, but many appliance vendors have yet to respond. This creates a window where mitigation — not patching — is the only viable defense.

The situation is further complicated by the fact that many affected appliances don't support granular service control through their standard management interfaces. Disabling telnetd on a Citrix NetScaler or a TrueNAS system may require SSH access and manual service configuration, which many operations teams are not accustomed to performing on production network equipment.

Recommended Actions for CISOs and Security Teams

1. Conduct an emergency asset scan for port 23 exposure. Use your vulnerability scanner or run a targeted Nmap sweep (nmap -p 23 --open) across all network segments, including management VLANs, DMZs, and OT networks. Document every responding host.
2. Disable telnetd immediately on all identified systems. For Linux-based appliances, this typically means stopping the service and removing it from startup. For FreeBSD-based systems, set telnetd_enable="NO" in /etc/rc.conf. Where telnetd cannot be disabled without breaking management access, enforce SSH as the sole remote administration protocol.
3. Deploy IDS/IPS signatures targeting LINEMODE SLC anomalies. Configure your intrusion detection systems to alert on Telnet LINEMODE SLC suboptions carrying payloads exceeding 90 bytes. Snort and Suricata signatures for CVE-2026-32746 are already available from multiple threat intelligence feeds.
4. Implement network-level blocking at the perimeter. Block inbound TCP port 23 at all firewall boundaries. For internal segments, apply micro-segmentation policies that restrict Telnet access to only explicitly authorized management stations — and log every connection attempt.
5. Coordinate with appliance vendors for patch timelines. Contact your Citrix, Synology, TrueNAS, and other appliance vendors directly to obtain confirmed patch delivery dates. Track these in your vulnerability management platform and escalate any vendor that cannot commit to a remediation timeline within your SAMA CSCC SLA window.
6. Update your SAMA CSCC vulnerability management evidence. Document your detection, mitigation, and remediation actions as evidence for your next SAMA audit cycle. This includes scan results, change tickets for telnetd disablement, IDS rule deployments, and vendor correspondence.

Conclusion

CVE-2026-32746 is a stark reminder that legacy protocols carry compounding risk. A buffer overflow that has existed since the early 1990s is now a weaponized, pre-authentication root shell that requires nothing more than network access to port 23. For Saudi financial institutions, the intersection of active exploitation, broad appliance impact, and regulatory obligations under SAMA CSCC and NCA ECC makes this a priority-one remediation event. The absence of an upstream patch makes proactive mitigation — disabling Telnet, deploying IDS signatures, and hardening network segmentation — not optional but mandatory.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and emergency vulnerability triage support.