Contact
Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Home
Il logo di Telegram contornato da tanti stikers in una atmosfera festosa e armoniosa.

From CVSS 9.8 to 7.0: What Happened to the Telegram Bug?

30 March 2026 19:47

Yesterday, a critical vulnerability affecting the Telegram messenger was reported in the registry of the Zero Day Initiative (ZDI), identified as ZDI-CAN-30207. The issue was discovered by Michael DePlante, a researcher affiliated with ZDI. However, representatives of Telegram told the media that the vulnerability does not exist and that the researcher was mistaken.

It is worth noting that ZDI is the world’s largest vendor-agnostic bug bounty program, supported by Trend Micro. Active since 2005, the initiative specializes in the responsible disclosure of vulnerabilities.

ZDI receives reports of unpatched bugs from independent researchers, forwards them to vendors, and rewards those who report them. Technical details of the vulnerabilities are not made public until a patch is released.

Advertising

In addition to collaborating with individual security researchers, ZDI also has its own internal team of bug hunters dedicated to discovering vulnerabilities, and DePlante is a member of this team.

The ZDI-CAN-30207 vulnerability was assigned a CVSS score of 9.8 out of 10 yesterday. According to the CVSS vector, the issue can be exploited remotely and does not require privileges, special conditions, or user interaction. According to security specialists at 3Side, who were among the first to notice the ZDI entry, the bug “could very likely allow the compromise of any Telegram account.”

Telegram, however, has taken a different stance. The company’s press office stated on the social network X that the vulnerability simply does not exist.

According to Telegram representatives, the researcher incorrectly claimed that the attack could be carried out using a sticker containing malicious code.

In a reply posted on X to ZDI, the company explained that all stickers uploaded to Telegram are validated on its servers before being displayed to clients, making this type of exploitation impossible.

Technical details of the vulnerability have not yet been disclosed, in line with ZDI policy, making it impossible to independently confirm or deny its existence. Under ZDI rules, full details will be made available either after a patch is released or after a 120-day disclosure period.

It is also important to note that the entry in the ZDI catalog has changed its score, dropping from 9.8 yesterday to 7.0 today.


Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

1744358477148 300x300
Bajram Zeqiri is an expert in cybersecurity, cyber threat intelligence, and digital forensics with over twenty years of experience, combining technical expertise and strategic vision to build cyber resilience for SMEs. Founder of ParagonSec and a technical contributor for Red Hot Cyber, he works in the delivery and design of various cyber services, including SOC, MDR, Incident Response, Security Architecture, Engineering, and Operations. He helps SMEs transform cybersecurity from a cost center into a strategic business enabler.
Areas of Expertise: Cyber threat intelligence, Incident response, Digital forensics, Malware analysis, Security architecture, SOC/MDR operations, OSINT research