Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
There is something deeply unsettling about this vulnerability: no click is required, nothing needs to be opened. Simply receiving the content is enough. Researchers from the Trend Micro Zero Day Initiative (ZDI) have identified a Remote Code Execution flaw with a CVSS score of 9.8 affecting Telegram on Android and Linux.
The attack vector is surprisingly simple: animated stickers. Specially crafted media files that, once delivered, automatically trigger the execution of malicious code. No confirmation, no user interaction. The system processes the files to generate previews, and it is precisely during this stage that the attack occurs.
The consequences are serious. An attacker could potentially gain full control of the device. This goes far beyond superficial access: messages, contacts, and active sessions may all become exposed. It is essentially a door left wide open—one that the user cannot even see.
The alert was issued by the Agenzia per la Cybersicurezza Nazionale through its CSIRT. The vulnerability was discovered by Michael DePlante (known online as @izobashi) from the Trend Micro Zero Day Initiative.
The impacted versions are clearly defined:
This is not a minor bug. Its zero-click nature makes it particularly dangerous, especially in environments where communication flows continuously and messages are processed automatically.
Severity overview
| Category | Details |
|---|---|
| Type | Remote Code Execution |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Malicious animated stickers processed automatically |
| User Interaction | None required |
No Indicators of Compromise (IoCs) have been released so far, which makes it significantly harder to detect whether systems may have already been targeted.
This is where things become uncomfortable. The available mitigations are not elegant—but they are necessary.
For business users, the first line of defense is reducing the attack surface: restrict message reception to trusted contacts or Premium users only. This clearly affects communication workflows, but it lowers the exposure risk.
For the general public, the situation is more complicated. Disabling automatic downloads is not sufficient. Sticker parsing still occurs at the system level.
That leaves two imperfect options:
The second option leverages the sandbox architecture of modern browsers, which provides a stronger isolation layer compared to the native client. It is not a perfect solution, but it is safer than continuing to use a vulnerable client.
One important aspect is often overlooked when discussing critical vulnerabilities. Within the framework of the Trend Micro Zero Day Initiative, exploits are not circulated freely and are not treated as commodities to be sold to the highest bidder—such as through zero-day brokers or private offensive security organizations.
The program follows strict rules: discoveries are handled through responsible disclosure processes, with the goal of enabling a fix through Coordinated Vulnerability Disclosure (CVD).
This is fundamentally different from what happens in underground markets. In those environments, vulnerabilities of this kind can become high-value criminal assets, capable of generating enormous profits. Reliable zero-click exploits, particularly on widely used communication platforms like Telegram, can be worth millions of euros in clandestine circles.
Programs like the Trend Micro Zero Day Initiative exist precisely to prevent that scenario—bringing these discoveries into a regulated framework where the risk can be managed before it ends up in the wrong hands.
