Telegram: Controversy over critical or high-risk security vulnerability
IT researchers have identified a supposedly critical zero-click vulnerability in Telegram. Telegram disputes this.
(Image: Sergei Elagin / Shutterstock.com)
Last weekend, several media outlets reported on an allegedly critical zero-click security vulnerability in the Telegram messenger. IT researchers from the renowned Zero-Day Initiative (ZDI) at Trend Micro stumbled upon it. However, Telegram has contradicted the Italian IT security authority Agenzia per la Cybersicurezza Nazionale (ACN), stating that the security vulnerability does not exist.
The Zero-Day Initiative lists entry ZDI-CAN-30207 from Thursday of last week. It only states the affected program (Telegram) and the risk classification according to CVSS (currently 7.0). ZDI gives Telegram until July 24, 2026, to fix the vulnerability as part of the responsible disclosure process. After that, ZDI will publish information about the vulnerability and assign it a CVE number.
The Italian Cyber Security Authority ACN issued a warning about the Telegram vulnerability over the weekend. It contains more details: A zero-click security vulnerability in the Android and Linux versions of the messenger allows attackers to inject and execute malicious code in vulnerable versions using "animated stickers" – without users having to interact or confirm anything. The problem stems from the automatic processing of these media files in Telegram. Attackers can thus gain control over the affected device and access sensitive data such as messages, contacts, or active sessions. The initial risk classification of the security vulnerability by ZDI was therefore rated as "critical" with a CVSS score of 9.8.
Telegram: Vulnerability does not exist
ACN contacted Telegram and updated the security notice on Monday of this week. According to this, Telegram has officially denied the existence of the vulnerability. Every sticker uploaded to the platform is validated and scanned on the servers before being distributed to client apps. This central filtering process therefore prevents the use of carefully prepared animated stickers to exploit vulnerabilities. It is technically impossible to execute malicious code in this way.
Videos by heise
Meanwhile, ZDI has also adjusted the severity level with the reasoning on Mastodon due to server-side countermeasures by Telegram, reaching the risk level "high" with a CVSS score of 7.0. ACN still recommends restricting the reception of messages from new contacts in Telegram and limiting it to one's own address book or premium users in the settings.
The ZDI website lists the zero-click vulnerability in Telegram, but now with a lower risk classification.
(Image:Â heise medien)
Details about Telegram's statements that would allow for a better assessment are missing. Telegram has not yet responded to a request from heise security.
In principle, a server-side scan does not close such a security vulnerability; at most, it makes exploitation more difficult. The explanation given to ACN so far suggests that it is not a filter that rejects all stickers, but rather a type of malware scan. Such virus scans can often be tricked by obfuscation or clever disruptions in the files, for example, when the scanner's parsers can no longer cope with the provided data, but the target software can process it.
(dmk)
