A vulnerability affecting Telegram, a messaging platform used globally for private and group communication, could allow attackers to execute code on targeted devices without any user interaction, according to security researchers and official alerts.
The issue, identified by researchers working with Trend Micro’s Zero Day Initiative, is described as a zero-click remote code execution flaw that can be triggered through specially crafted animated stickers. The vulnerability has been assigned a CVSS score of 9.8, indicating critical severity, according to the Zero Day Initiative listing.
According to the findings, the attack relies on how Telegram processes media files. Animated stickers, which are commonly used in chats, can be manipulated to include malicious code. When such a file is received, the system processes it automatically to generate a preview, which can trigger code execution without requiring the recipient to open or interact with the message.
Researchers and national cybersecurity authorities stated that successful exploitation could allow an attacker to gain control over a device and access sensitive information, including messages, contacts, and account session data. The vulnerability has been reported to affect Telegram applications on Android and desktop versions for Linux.
No indicators of compromise have been publicly released, and technical details remain limited as part of a coordinated disclosure process. Full disclosure of the vulnerability has been scheduled for a later date to allow time for remediation.
Mitigation options are limited, according to the reports. Restricting incoming messages to known contacts may reduce exposure for business users, while general users may need to rely on alternative access methods, such as web-based versions of the service. Disabling automatic downloads does not fully prevent the issue, as sticker processing occurs at the system level.
Telegram has disputed the existence of the vulnerability. The company stated that all stickers are validated on its servers before being delivered to users and said this process prevents malicious files from being used as an attack vector.
At the time of reporting, it remains unclear whether the vulnerability has been exploited in real-world attacks. Researchers have not released further technical details, and no patch has been confirmed.