STORM Brews Over Critical, No-Click Telegram Flaw reports a purported zero-click vulnerability in Telegram that could affect around 1 billion users, allegedly triggered by a corrupted sticker and rated 9.8 on the CVSS scale by the Trend Micro Zero Day Initiative (ZDI), which tracks it as ZDI-CAN-30207. ZDI disclosed the flaw on a Thursday with a full disclosure deadline set for 26 July, while Telegram has denied the existence of the vulnerability.
An Italy’s National Cybersecurity Agency alert, translated by Google, cites that ZDI-CAN-30207 enables a suspected zero-click, remotely executable network-based attack on Android and Linux versions, allowing arbitrary code execution, access to private communications, surveillance, data theft and disruption of device function.
Telegram has publicly rejected the attack vector via stickers, claiming the centralized filtering process prevents such use and makes it technically impossible to execute malicious code through that method. The article notes ongoing disputes between researchers and the company, with DePlante not immediately replying to requests for comment. Until July, readers are advised to keep Telegram updated and consider defensive measures proposed by experts, particularly for business users.