Storm Brews Over Critical, No-Click Telegram Flaw

APPLICATION SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Storm Brews Over Critical, No-Click Telegram Flaw The vulnerability, which is allegedly triggered by a corrupted sticker in the messaging app, received a 9.8 CVSS score, but Telegram denies it exists. Elizabeth Montalbano,Contributing Writer March 30, 2026 4 Min Read SOURCE: PITOR ADAMOWICZ VIA ALAMY STOCK PHOTO UPDATE A storm is brewing over a purported critical Telegram Messenger flaw that allows for full system hijack, with full details of the unpatched vulnerability not set to be disclosed until July. The vulnerability, which could impact some 1 billion users of the popular chat app, was discovered by researcher Michael DePlante of the Trend Micro Zero Day Initiative (ZDI). ZDI first revealed the existence of the flaw, which it tracks as ZDI-CAN-30207, on Thursday and set a deadline for full disclose on July 26.  Telegram, however, took to the social media site X to deny that the vulnerability even exists. This has put the company at a standoff with security researchers, as the flaw already is kicking up a storm of controversy and causing alarm on socials and security blogs. ZDI assigned the flaw a 9.8 CVSS score but lowered the score to a high-severity 7.0 on Monday. In a post on X, ZDI said the change was made to reflect "server-side mitigations that the vendor described during the disclosure process." Related:Google Sets 2029 Deadline for Quantum-Safe Cryptography Scant details of the bug are publicly available at this time (and presumably until July 26). However, various published reports have shared why the flaw has received such a dangerous rating.  According to an alert by Italy's National Cybersecurity Agency (translated by Google Translate), ZDI-CAN-30207 enables a suspected zero-click remotely executable network-based attack on Android and Linux versions of the app that could execute arbitrary code, access private communications, conduct surveillance, steal sensitive data, and disrupt device functionality. Loading... When Good Stickers Go Bad The flaw's exploitation involves using a corrupted sticker in Telegram as an attack vector. Stickers are specially crafted media files often used by people chatting on the app to convey emotions or replace short messages. "The attack vector is surprisingly simple: animated stickers," independent cybersecurity consultant/adviser Carolina Vivianti noted in a blog post on Red Hot Cyber. She called the vulnerability "deeply unsettling" because it does not require a user to click or open anything in their Telegram session for compromise to occur. "Simply receiving the content is enough," she wrote. "No confirmation, no user interaction. The system processes the files to generate previews, and it is precisely during this stage that the attack occurs." However, Telegram repeatedly stated on X that such an attack vector via stickers is not possible and asserting that it is "completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps." Related:AI-Powered Dependency Decisions Introduce, Ignore Security Bugs Italy's National Cybersecurity Agency updated its alert on Monday with Telegram's denial. "According to this official position, the centralized filtering process prevents the use of corrupted stickers as an attack vector, making it technically impossible to execute malicious code using this method," the update stated. DePlante did not immediately return emails sent by Dark Reading requesting comment and more information about the vulnerability. More Trouble for Telegram? Telegram, which uses message encryption, is used by many for private communications, which is understandably why a zero-click flaw that allows attackers to steal data, perform cyber espionage, and conduct various other malicious activities would represent a huge disruption to the platform.  Indeed, threat actors can exploit flaws in messaging apps to target various persons of interest whose communications may be of strategic or global importance — including journalists, political figures, government officials, company executives, or enterprise users. Meanwhile, the security policies of Telegram also have embroiled the company in controversy and legal trouble. Notably, CEO Pavel Durov was arrested by French authorities in 2024 due to Telegram's historical refusal to share data with law enforcement agencies except in are cases of terrorism, something that forced it to make changes to its policies. Related:Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit Additionally, the app is popular with cybercriminals who feel they can conduct malicious activity without threat of detection; indeed, they often set up dedicated Telegram channels as a foundation for nefarious activity. Defensive Measures Unless Telegram reverses its stance on the existence of the flaw, it's unlikely the public will know until July if it not only exists but is as dangerous as ZDI fears. Until then, Telegram users should apply all app updates as they are released in the upcoming months — and apply any patch deployed to address the flaw immediately if and when it appears — to ensure they are using the most secure version. Until the situation becomes more clear, Vivianti proposes separate defensive actions for business and personal users of Telegram. For the former, she recommends reducing the attack surface by restricting message reception to trusted contacts or Premium users only. "This clearly affects communication workflows, but it lowers the exposure risk," Vivianti noted. For the general public, since it's not enough to disable automatic downloads, Vivianti recommends that they temporarily uninstall the application or use the Web version of Telegram through an up-to-date browser, which "leverages the sandbox architecture of modern browsers." This provides a stronger isolation layer compared to the native client, she said. This story was updated at 3:30 p.m. ET on March 30 to reflect new information from ZDI, which lowered the CVSS score of the Telegram vulnerability from 9.8 to 7.0.   About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE