Security researchers are actively evaluating a reported vulnerability in Telegram Messenger that could lead to full system compromise. Full technical details of the unpatched vulnerability are scheduled for disclosure in July.
The vulnerability, which could impact a significant portion of the application's 1 billion users, was discovered by Michael DePlante of the Trend Micro Zero Day Initiative (ZDI). ZDI disclosed the existence of the finding, tracked as ZDI-CAN-30207, on Thursday and scheduled a full disclosure date for July 26.
Telegram has publicly denied the vulnerability's existence on the social media platform X. This differing assessment has generated considerable discussion across security communities, as researchers and users work to evaluate the actual risk.
ZDI initially assigned the vulnerability a 9.8 CVSS score. On Monday, the organization lowered the score to a high-severity 7.0. In a follow-up post on X, ZDI clarified that the adjustment was made to reflect "server-side mitigations that the vendor described during the disclosure process."
While full technical specifics remain restricted until July 26, various published alerts provide insight into the initial severity rating. According to an advisory published by Italy's National Cybersecurity Agency, ZDI-CAN-30207 enables a suspected zero-click, network-based compromise on Android and Linux versions of the application. If successfully triggered, the vulnerability could allow an unauthorized party to execute arbitrary code, access private communications, conduct surveillance, access sensitive data, and disrupt device functionality.
The role of animated stickers
Triggering the reported vulnerability involves sending a specially crafted animated sticker. Stickers are media files used within the application to convey emotions or replace standard text messages.
Independent cybersecurity consultant Carolina Vivianti noted in a Red Hot Cyber blog post that the method is remarkably simple, relying entirely on these animated files. She highlighted the finding as concerning because the compromise sequence requires no user interaction.
"Simply receiving the content is enough," Vivianti wrote. "No confirmation, no user interaction. The system processes the files to generate previews, and it is precisely during this stage that the [unauthorized execution] occurs."
Telegram has repeatedly stated that compromising the application via stickers is not possible. The company asserted that the claim "completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps."
Italy's National Cybersecurity Agency subsequently updated its alert to include Telegram's denial. The agency noted Telegram's official position that the centralized filtering process prevents corrupted stickers from reaching the end user, making remote code execution technically impossible through this method.
Context and platform risks
Because Telegram utilizes message encryption, it serves as a primary communication tool for users requiring privacy. A zero-click vulnerability allowing unauthorized parties to access data or conduct surveillance would represent a substantial risk to the platform's user base.
Threat actors frequently evaluate messaging applications to target specific individuals whose communications hold strategic value, including journalists, government officials, and enterprise users.
Telegram's broader security and data policies have also drawn recent scrutiny. In 2024, French authorities arrested CEO Pavel Durov over the company's historical refusal to share data with law enforcement agencies, leading the platform to adjust its policies. Additionally, unauthorized parties often use the application to coordinate activities, frequently establishing dedicated channels as operational infrastructure.
Defensive measures
Until the public disclosure in July provides definitive technical clarity, users and organizations should prioritize standard application maintenance. Telegram users should apply all app updates as they are released in the coming months to ensure they are operating the most current and secure version.
For those requiring immediate risk reduction, Vivianti proposes specific defensive actions. For business users, she recommends restricting message reception to trusted contacts or Premium users to minimize exposure. "This clearly affects communication workflows, but it lowers the exposure risk," Vivianti noted.
For general users, simply disabling automatic downloads is insufficient. Instead, Vivianti recommends temporarily utilizing the Web version of Telegram through an up-to-date browser, which leverages modern browser sandboxing. This approach provides a stronger isolation layer compared to the native client. Alternatively, users may choose to temporarily uninstall the native application until further details are verified.