UPDATE
A storm is brewing over a purported critical Telegram Messenger flaw that allows for full system hijack, with full details of the unpatched vulnerability not set to be disclosed until July.
The vulnerability, which could impact some 1 billion users of the popular chat app, was discovered by researcher Michael DePlante of the Trend Micro Zero Day Initiative (ZDI). ZDI first revealed the existence of the flaw, which it tracks as ZDI-CAN-30207, on Thursday and set a deadline for full disclose on July 26.
Telegram, however, took to the social media site X to deny that the vulnerability even exists. This has put the company at a standoff with security researchers, as the flaw already is kicking up a storm of controversy and causing alarm on socials and security blogs.
ZDI assigned the flaw a 9.8 CVSS score but lowered the score to a high-severity 7.0 on Monday. In a post on X, ZDI said the change was made to reflect “server-side mitigations that the vendor described during the disclosure process.”
Scant details of the bug are publicly available at this time (and presumably until July 26). However, various published reports have shared why the flaw has received such a dangerous rating.
According to an alert by Italy’s National Cybersecurity Agency (translated by Google Translate), ZDI-CAN-30207 enables a suspected zero-click remotely executable network-based attack on Android and Linux versions of the app that could execute arbitrary code, access private communications, conduct surveillance, steal sensitive data, and disrupt device functionality.
When Good Stickers Go Bad
The flaw’s exploitation involves using a corrupted sticker in Telegram as an attack vector. Stickers are specially crafted media files often used by people chatting on the app to convey emotions or replace short messages.
“The attack vector is surprisingly simple: animated stickers,” independent cybersecurity consultant/adviser Carolina Vivianti noted in a blog post on Red Hot Cyber. She called the vulnerability “deeply unsettling” because it does not require a user to click or open anything in their Telegram session for compromise to occur.
“Simply receiving the content is enough,” she wrote. “No confirmation, no user interaction. The system processes the files to generate previews, and it is precisely during this stage that the attack occurs.”
However, Telegram repeatedly stated on X that such an attack vector via stickers is not possible and asserting that it is “completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps.”
Italy’s National Cybersecurity Agency updated its alert on Monday with Telegram’s denial. “According to this official position, the centralized filtering process prevents the use of corrupted stickers as an attack vector, making it technically impossible to execute malicious code using this method,” the update stated.
DePlante did not immediately return emails sent by Dark Reading requesting comment and more information about the vulnerability.
More Trouble for Telegram?
Telegram, which uses message encryption, is used by many for private communications, which is understandably why a zero-click flaw that allows attackers to steal data, perform cyber espionage, and conduct various other malicious activities would represent a huge disruption to the platform.
Indeed, threat actors can exploit flaws in messaging apps to target various persons of interest whose communications may be of strategic or global importance — including journalists, political figures, government officials, company executives, or enterprise users.
Meanwhile, the security policies of Telegram also have embroiled the company in controversy and legal trouble. Notably, CEO Pavel Durov was arrested by French authorities in 2024 due to Telegram’s historical refusal to share data with law enforcement agencies except in are cases of terrorism, something that forced it to make changes to its policies.
Additionally, the app is popular with cybercriminals who feel they can conduct malicious activity without threat of detection; indeed, they often set up dedicated Telegram channels as a foundation for nefarious activity.
Defensive Measures
Unless Telegram reverses its stance on the existence of the flaw, it’s unlikely the public will know until July if it not only exists but is as dangerous as ZDI fears. Until then, Telegram users should apply all app updates as they are released in the upcoming months — and apply any patch deployed to address the flaw immediately if and when it appears — to ensure they are using the most secure version.
Until the situation becomes more clear, Vivianti proposes separate defensive actions for business and personal users of Telegram. For the former, she recommends reducing the attack surface by restricting message reception to trusted contacts or Premium users only. “This clearly affects communication workflows, but it lowers the exposure risk,” Vivianti noted.
For the general public, since it’s not enough to disable automatic downloads, Vivianti recommends that they temporarily uninstall the application or use the Web version of Telegram through an up-to-date browser, which “leverages the sandbox architecture of modern browsers.” This provides a stronger isolation layer compared to the native client, she said.
This story was updated at 3:30 p.m. ET on March 30 to reflect new information from ZDI, which lowered the CVSS score of the Telegram vulnerability from 9.8 to 7.0.
