AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC.

Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.

FreeRADIUS RADIUS server allows remote attackers to cause a denial of service (CPU consumption) via a flood of Access-Request packets.

Buffer overflow in efax 0.9 and earlier, when installed setuid root, allows local users to execute arbitrary code via a long -x argument.

efax 0.9 and earlier, when installed setuid root, allows local users to read arbitrary files via the -d option, which prints the contents of the file in a warning message.

strace allows local users to read arbitrary files via memory mapped file names.

The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.

Race condition in xterm allows local users to modify arbitrary files via the logging option.

ypserv allows local administrators to modify password tables.

ypserv allows a local user to modify the GECOS and login shells of other users.

Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet.

A version of finger is running that exposes valid user information to any entity on the network.