Critical Telegram Zero-Click Vulnerability Sparks Industry Clash and Security Alarm

Introduction: A Silent Threat Hidden Inside Everyday Messaging

A newly disclosed vulnerability has shaken confidence in one of the world’s most widely used messaging platforms, Telegram. The issue is not just another bug, but a potential zero-click exploit, meaning users could be compromised without tapping, downloading, or even noticing anything unusual. As cybersecurity researchers raise the alarm and Telegram firmly denies the claims, the situation has evolved into a high-stakes debate about trust, transparency, and the unseen risks embedded in modern communication tools.

the Reported Vulnerability and Industry Response

The vulnerability was disclosed by security researcher Michael DePlante, also known online as @izobashi, through the Zero Day Initiative. Identified as ZDI-CAN-30207, the flaw carries a critical CVSS score of 9.8, signaling extreme severity. According to the report, the vulnerability allows attackers to execute malicious code on a target device without requiring any user interaction, a rare and highly dangerous category of exploit known as “zero-click.”

The attack method is particularly alarming due to its simplicity. It allegedly involves sending a specially crafted animated sticker through Telegram. Because Telegram automatically processes media files to generate previews, this mechanism could potentially be abused to trigger code execution in the background. In such a scenario, the victim would not need to open the message or interact with the sticker in any way, making detection nearly impossible.

The vulnerability reportedly affects Telegram applications on Android and Linux platforms. If successfully exploited, attackers could gain full control over the compromised device, including access to data, system functions, and potentially sensitive communications. This level of access turns a messaging app into a gateway for total system compromise.

Despite the severity of the claim, there is currently no confirmation that the vulnerability has been exploited in real-world attacks. Researchers have intentionally withheld technical details to allow Telegram time to investigate and potentially release a fix before a public deadline set for July 24, 2026. This responsible disclosure approach is standard in cybersecurity, aiming to balance transparency with user safety.

However, the situation took a controversial turn when Telegram officially denied the existence of the vulnerability. According to a statement referenced by the Italian National Cybersecurity Agency, Telegram insists that its infrastructure includes strict server-side validation of all stickers. The company argues that every uploaded sticker is filtered and verified before being distributed, effectively preventing malicious files from reaching users.

Telegram maintains that this centralized validation process makes it technically impossible for stickers to serve as an attack vector for code execution. This direct contradiction between the researcher’s findings and the company’s position has created uncertainty within the cybersecurity community, leaving users unsure about the actual level of risk.

As a precautionary measure, Telegram has suggested that users, particularly business accounts, limit incoming messages from unknown contacts. By adjusting privacy settings, users can restrict messages to saved contacts or premium users, reducing exposure to potential malicious content.

Meanwhile, the broader cybersecurity landscape recognizes that exploits targeting popular platforms like Telegram are extremely valuable. Zero-click vulnerabilities, in particular, can command millions of dollars on underground markets due to their stealth and effectiveness. This economic incentive means that if such a flaw exists, it could quickly be weaponized by sophisticated threat actors.

What Undercode Say:

The real story here is not just about a single vulnerability, but about a deeper structural tension between independent security researchers and platform providers. When a researcher like Michael DePlante publishes a critical finding, it represents months of reverse engineering, testing, and validation. These discoveries are rarely made lightly, especially when tied to formal disclosure channels like the Zero Day Initiative.

At the same time, Telegram’s denial cannot be dismissed as mere defensiveness. Large platforms operate complex infrastructures with layered security controls, and server-side validation is indeed a strong mitigation technique. However, history has repeatedly shown that even well-designed validation systems can contain edge-case flaws, especially when dealing with complex media parsing and rendering pipelines.

The core technical concern lies in how Telegram processes media previews. Automatic parsing of files, particularly animated or compressed formats, has long been a fertile ground for vulnerabilities. From image libraries to video codecs, countless exploits have emerged from subtle parsing errors that bypass validation layers. If the reported flaw exists, it likely exploits such a low-level weakness rather than a simple validation failure.

Another important factor is the zero-click nature of the vulnerability. These types of exploits are considered the gold standard in offensive cybersecurity because they remove the human factor entirely. There is no phishing link to avoid, no suspicious file to ignore. The attack surface becomes passive, meaning every incoming message could theoretically be a threat.

The economic angle adds further weight to the situation. Zero-click exploits targeting widely used apps like Telegram are not just technical achievements, they are commodities. Governments, surveillance firms, and cybercriminal groups are all willing to pay premium prices for such capabilities. This creates a strong incentive for both discovery and secrecy, which complicates public disclosure.

Telegram’s denial may also be strategic. Acknowledging a zero-click vulnerability without a ready patch could trigger panic, damage reputation, and invite exploitation attempts. By denying the claim, the company buys time to investigate quietly. However, this approach carries its own risks, particularly if the vulnerability is later confirmed.

The lack of technical details from the Zero Day Initiative further deepens the ambiguity. While responsible disclosure is essential, it also leaves the public in a state of uncertainty. Users are asked to trust either the researcher or the vendor without access to evidence, a situation that highlights the opaque nature of cybersecurity incidents.

From a defensive standpoint, the recommended mitigation steps are practical but limited. Restricting messages to known contacts reduces exposure, but it does not address the underlying issue. If the vulnerability exists, it remains exploitable within any allowed communication channel.

Ultimately, this incident underscores a fundamental truth about modern digital systems: convenience often comes at the cost of hidden complexity. Features like automatic previews enhance user experience but introduce additional attack surfaces. As platforms continue to evolve, these trade-offs become increasingly difficult to manage.

The broader implication is clear. Users, developers, and organizations must operate under the assumption that even trusted platforms can harbor critical flaws. Security is not a static guarantee but an ongoing process shaped by discovery, denial, and eventual resolution.

Fact Checker Results

✅ The vulnerability ZDI-CAN-30207 is officially registered and reported by a recognized security initiative.
❌ There is no confirmed evidence yet that the exploit has been used in real-world attacks.
✅ Telegram has publicly denied the existence of the vulnerability, creating a verified dispute.

Prediction

📊 High-value zero-click vulnerabilities will continue to target messaging platforms due to massive user bases and silent exploit potential.
📊 Telegram may release a silent security update before the disclosure deadline if internal validation reveals any risk.
📊 The cybersecurity community will likely uncover more media-processing flaws as messaging apps expand features and automation.