A recently reported security issue involving Telegram has triggered debate between independent security researchers and the platform itself, with claims of a high-severity zero-click remote code execution vulnerability affecting Android and Linux clients. The issue is described by researchers as potentially critical due to its ability to execute code through automated media processing, while Telegram has publicly denied that such a vulnerability exists, arguing that its validation architecture prevents this class of exploitation.
Reported Vulnerability
According to researchers from the Trend Micro Zero Day Initiative (ZDI), the issue tracked as ZDI-CAN-30207 carries a CVSS score of 9.8, classifying it as critical severity. The vulnerability is described as a zero-click remote code execution flaw allegedly triggered through specially crafted animated stickers, exploiting the way Telegram processes incoming media for previews.
The reported attack vector relies on automatic parsing of media content once it is received by the client. In this model, no interaction is required from the user, meaning that simply receiving a malicious sticker could theoretically trigger code execution on affected Telegram for Android and Telegram Desktop installations on Linux systems.
Potential Impact and Execution
Security descriptions attributed to Italy’s National Cybersecurity Agency characterize the issue as particularly severe because of its interactionless nature. Since the alleged exploit requires no clicks, file openings, or user confirmations, the entry threshold is considered extremely low compared to traditional malware delivery techniques.
In a successful exploitation scenario, an attacker could potentially gain control over a targeted device and access sensitive data such as messages, contacts, and active session information linked to a Telegram account. At the same time, there are no confirmed reports indicating that this vulnerability has been exploited in real-world attacks, and no Indicators of Compromise have been publicly released, which limits detection capability.
Telegram’s Position
Telegram has reportedly denied the existence of the vulnerability, stating that all stickers and media files are subject to mandatory server-side validation before being distributed to clients. From this perspective, the platform argues that centralized filtering prevents malformed or malicious content from reaching user devices, making code execution through sticker-based payloads technically impossible under its system design.
This results in a direct discrepancy between the claims made by researchers and cybersecurity advisories and Telegram’s official position, with both sides presenting fundamentally different interpretations of how media processing and validation operate within the platform.
Uncertainty and Mitigation Approaches
Because there is no confirmed exploitation data and the underlying technical claims remain disputed, mitigation guidance is largely precautionary. Some recommendations suggest limiting incoming messages from unknown contacts, particularly for business or organizational accounts, and restricting communications to verified users where possible.
Additional suggestions include using Telegram through web-based clients in modern browsers, where sandboxing may provide stronger isolation compared to native applications. However, this remains a conditional workaround rather than a confirmed mitigation, especially given claims that media parsing occurs automatically at a system level within native clients.
Broader Security Context
The discussion around this alleged vulnerability also sits within a wider narrative concerning Telegram’s ecosystem and its use cases. Some cybersecurity reporting has described the platform as increasingly associated with illicit digital marketplaces, including the distribution of malware services, phishing kits, and compromised access credentials. These observations are part of broader ecosystem analysis rather than direct evidence connected to the reported vulnerability itself.
Conclusion
The reported zero-click vulnerability in Telegram remains unresolved, with researchers describing a critical remote code execution risk tied to automated media processing, while Telegram denies that such an exploit is technically possible under its validation framework. With no confirmed exploitation and no publicly available indicators of compromise, the situation remains disputed, leaving uncertainty between external security assessments and the platform’s official position.
0 Comments