{
"title": "CVE-2026-35423: Windows 11 Telnet Client Information Disclosure – Patch Now or Remove Feature",
"content": "On May 12, 2026, Microsoft published CVE-2026-35423, an information disclosure vulnerability in the Windows 11 Telnet Client. The advisory arrived as part of the regular Patch Tuesday release cycle, flagging yet another security flaw in one of the operating system’s legacy optional components. The vulnerability, whose full technical details have not been disclosed, underscores the persistent risks posed by decades-old code that remains lurking behind a feature toggle. Here’s what we know so far and why users and administrators should take notice.

What is the Windows 11 Telnet Client?

Telnet is a network protocol that emerged in the late 1960s and became a cornerstone of early internet communication. It allows users to remotely access command-line interfaces on servers, routers, and other systems. Windows has shipped with a Telnet client since Windows 95, but protocol’s lack of encryption—all data, including passwords, travels in plaintext—made it obsolete for most secure environments by the early 2000s. Microsoft converted the Telnet client into an optional feature starting with Windows Vista or 7, and in Windows 11, it is disabled by default. Enabling it requires users to venture into “Settings > Apps > Optional features” and explicitly add it, or run a command-line using DISM. Once enabled, the telnet.exe binary sits in C:\\Windows\\System32, ready to connect to remote hosts over port 23.

Because of its optional nature, the Telnet client is absent from most consumer PCs. Yet, it remains a staple in certain enterprise niches: network administrators use it for quick configuration of switches and routers, developers testing legacy APIs may rely on it, and some older line-of-business applications call Telnet for direct ASCII transfers. That small but stubborn user base is exactly why a vulnerability in this component is newsworthy—even if the attack surface is minimal, the severity of an information disclosure bug can be high.

CVE-2026-35423: What Was Disclosed

The CVE entry is lean on specifics, a common practice while Microsoft distributes updates and conducts responsible disclosure. It identifies the “Windows 11 Telnet Client” as the affected component and categorizes the impact as “Information Disclosure.” No CVSS severity score was initially listed, but based on comparable bugs, it could fall in the 5.0–7.0 range (Medium to High), depending on factors like required user interaction or network attack vector. The absence of a CVSS score at publication isn’t unusual; it often gets updated later.

Though the root cause remains secret, the nature of information disclosure in a network client suggests the client leaks sensitive data when processing malformed Telnet protocol messages. An attacker could set up a rogue Telnet server or intercept a legitimate session (possible due to cleartext traffic) and send specially crafted packets that trigger the information leak. What data gets exposed depends on the bug: it might be process memory, heap contents, stack fragments, or even remnants of past commands. For a Telnet client, sensitive information might include authentication credentials, internal network addresses, or cryptographic material. Even a small leak can be enough for an adversary to pivot toward more damaging attacks, such as credential theft or lateral movement in a corporate network.

Microsoft’s advisory likely includes the standard mitigation: “The security update addresses the vulnerability by correcting how the Telnet Client handles objects in memory.” But until the associated KB article is reverse-engineered or the patch is analyzed by third-party researchers, the exact mechanism will remain speculative.

Why Optional Features Are Double-Edged Swords

The optional status of the Telnet client is both a shield and a weakness. On one hand, millions of Windows 11 devices never enable it, shielding them completely. On the other hand, optional components often receive less rigorous testing, and when bugs are discovered, they may have lain dormant for decades. Moreover, because the feature isn’t prominent, some administrators may not inventory it. A system that has “Telnet Client” enabled might have been configured years ago by a predecessor and forgotten. That makes opt-in features a potential blind spot during security audits.

Additionally, simply having the optional feature installed means the binary is present and loadable. Some vulnerabilities can be triggered even without the user explicitly invoking the client, for example, if another application calls into a shared library used by Telnet. It’s difficult to assess without the patch details. But the general rule holds: if you don’t need it, remove it. In Windows 11, you can uninstall the Telnet Client in seconds, permanently closing the door on this CVE and any future ones.

A Look Back: Telnet Vulnerabilities Through the Years

CVE-2026-35423 is not an outlier. Microsoft’s history with Telnet-related patches stretches back decades:

  • CVE-2020-16873 – A spoofing vulnerability in the Windows Telnet service (the server side), patched in November 2020.
  • CVE-2015-0016 – MS15-002: A critical remote code execution flaw in Windows Telnet service on Windows Server 2003, actively exploited in the wild at the time.
  • CVE-2011-1965 – A denial-of-service vulnerability in Windows Vista