Synology has issued an urgent security advisory — Synology-SA-26:03 — disclosing a critical vulnerability in the telnetd daemon bundled with GNU Inetutils, the widely-used suite of network utilities. The flaw, tracked as CVE-2026-32746, affects multiple versions of Synology’s DiskStation Manager (DSM) operating system and carries a CVSS 3.1 Base Score of 9.8 — the highest tier of severity.

The advisory was first published on March 19, 2026 and remains an ongoing situation for one product line, underscoring the urgency for administrators to act immediately.

What Is the Vulnerability?

The root cause is a classic buffer overflow (CWE-120) residing in the telnetd component of GNU Inetutils through version 2.7. Specifically, the vulnerability lives in the handler for the LINEMODE SLC (Set Local Characters) Telnet sub-option. The add_slc function, responsible for processing SLC data, fails to verify whether the receiving buffer has sufficient space before writing into it.

“telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC suboption handler because add_slc does not check whether the buffer is full.” — Synology Security Advisory, Synology-SA-26:03

By crafting a malicious Telnet request that triggers this handler with oversized SLC data, a remote attacker can corrupt adjacent memory, redirecting program execution to attacker-controlled code. Because Telnet authentication occurs after the initial negotiation phase — and SLC processing happens during negotiation — the attack requires no username or password.

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms the worst-case scenario: the attack is network-accessible, low complexity, requires no privileges, and results in full compromise of confidentiality, integrity, and availability.

An Important Clarification: The Vulnerability Is Upstream

While this is a Synology advisory, it is worth emphasizing that the flaw originates in GNU Inetutils — an upstream, open-source project — not in Synology’s own code. The vulnerability exists because Synology’s DSM ships telnetd from this library. This also means other Linux distributions or embedded systems using GNU Inetutils through version 2.7 may be independently affected.

Affected Products and Patch Versions

Synology has identified and patched the issue across its primary DSM product lines. The following table reflects the official advisory as of its last update:

Product Severity Status Required Action
DSM 7.3 Critical Patch available Upgrade to 7.3.2-86009-3 or later
DSM 7.2.2 Critical Patch available Upgrade to 7.2.2-72806-8 or later
DSM 7.2.1 Critical Patch available Upgrade to 7.2.1-69057-11 or later
DSMUC 3.1 Critical Ongoing Monitor Synology advisories for update
BeeStation OS 1.4 Not Affected No action required
SRM 1.3 Not Affected No action required
VS600HD 1.2 Not Affected No action required

Users running DSMUC 3.1 should monitor the official advisory page closely, as a fix is in progress but not yet released as of the initial publication date.

How to Protect Your System Right Now

Priority 1 — Apply the Patch

The most effective remediation is to upgrade to the patched DSM version listed above. Synology’s update mechanism can be accessed via Control Panel → Update & Restore → DSM Update. Ensure automatic updates are enabled for critical security fixes going forward.

Priority 2 — Disable Telnet Immediately

For systems that cannot be patched immediately — or as a permanent hardening measure — Synology recommends disabling the Telnet service entirely. Telnet transmits all data, including credentials, in plaintext and has long been superseded by SSH as the secure remote-access standard. Follow these steps:

  1. Open Control Panel from the DSM desktop.
  2. Navigate to Terminal & SNMP settings.
  3. Uncheck the “Enable Telnet service” checkbox.
  4. Click Apply to save the change.

Disabling Telnet eliminates the attack surface for CVE-2026-32746 entirely. If remote CLI access is required, ensure SSH is enabled and restricted to known IP addresses via DSM’s firewall settings.

⚠ Official Mitigation — Synology-SA-26:03

“It is recommended to disable the Telnet service to reduce potential risk.” — Synology’s advisory explicitly recommends disabling Telnet even for users who have applied the patch, as a defense-in-depth measure.

Additional Hardening Recommendations

Beyond this specific vulnerability, administrators should review their NAS exposure posture: avoid exposing DSM management ports to the public internet, enable two-factor authentication, restrict administrative access by IP, and subscribe to Synology’s security notification service to receive future advisories promptly.

Background: Why Telnet Remains a Risk

Telnet dates to 1969 and was designed for a time when network security was not a primary concern. Unlike SSH, Telnet sends all traffic — commands, file contents, and passwords — across the network in plaintext, making it trivially interceptable. Most security frameworks, including NIST and CIS, have long recommended disabling Telnet in favor of SSH. Despite this, Telnet remains enabled by default in some configurations for legacy compatibility, creating exactly the kind of residual attack surface that CVE-2026-32746 exploits.

The fact that this vulnerability resides in GNU Inetutils — a foundational and widely deployed open-source package — means its impact likely extends beyond Synology products. Administrators of any Linux system running telnetd from GNU Inetutils ≤ 2.7 should treat this as equally urgent.

References & Further Reading