CRITICAL: Telegram Vulnerability “ZDI‑CAN‑30207” Exposes Users to Zero‑Click Attacks
Executive Summary
Telegram’s Zero‑Day Initiative (ZDI) entry ZDI‑CAN‑30207 represents a high‑severity, zero‑click remote code execution (RCE) flaw that allows an attacker to compromise a victim’s device by simply delivering a crafted media file. The vulnerability, rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), was reported to Telegram on 26 March 2026 and is slated for public disclosure on 24 July 2026. At the time of writing, no official patch has been released, and the affected product line spans the Telegram desktop application for macOS (CVE‑2023-26818) and mobile applications on Android and iOS (specific versions undisclosed). Immediate mitigations include disabling automatic media downloads and monitoring for anomalous process execution.
Technical Analysis
Root Cause and Vulnerability Mechanics
The core of ZDI‑CAN‑30207 lies in a flaw within Telegram’s media handling pipeline. While the exact memory corruption vector is not publicly disclosed, the vulnerability is described as a remote code execution via crafted media files. The associated CVE, CVE-2023-26818, was identified in the macOS desktop client and is known to be a buffer overflow triggered during the parsing of media payloads. It is reasonable to infer that ZDI‑CAN‑30207 exploits a similar flaw—likely an unchecked buffer or improper bounds checking in the media decoder—allowing an attacker to inject arbitrary code into the client’s execution context without user interaction.
The MTProto protocol flaw, also reported by the TrendAI Zero Day Initiative, complements the media‑handling issue by permitting unauthorized reading of private messages. This flaw stems from session key validation weaknesses that allow an attacker to forge session tokens and inject malicious packets into an established TLS tunnel. The protocol weakness affected specific Android and iOS versions of Telegram; however, the exact build numbers remain undisclosed.
Attack Chain Overview
- Preparation – An attacker crafts a malicious media file (image, video, or audio) embedding a payload that exploits the buffer overflow in Telegram’s media parser.
- Delivery – The file is sent to the victim via a Telegram chat or group. Because the vulnerability is zero‑click, the victim does not need to open or preview the file; simply receiving it is sufficient.
- Execution – Upon receipt, the Telegram client automatically processes the media file. The overflow corrupts the stack or heap, allowing the attacker’s shellcode to execute with the privileges of the Telegram process.
- Privilege Escalation – The compromised Telegram process runs with the user’s privileges. The attacker can then spawn a reverse shell, exfiltrate data, or pivot to other local services.
- Persistence – The attacker may install a backdoor or modify system settings to maintain access.
Because the attack requires no user interaction, it is classified as a zero‑click exploit. The AV:N/AC:L/PR:N/UI:N vector confirms that the attack is network‑based, low effort, privilege‑less, and user‑interface‑free.
Affected Versions and Deployment Context
| Platform | Product | Affected Versions | Notes |
|---|---|---|---|
| macOS | Telegram Desktop | All releases prior to the forthcoming patch (exact version not yet disclosed) | CVE-2023-26818 identified in the media parser; likely the same flaw as ZDI-CAN-30207 |
The vulnerability is not limited to a particular deployment; any device running the affected client binaries is susceptible. Telegram’s own bug bounty program offers rewards up to $100,000, underscoring the severity of the flaw.
Code and Payloads
No publicly available code snippets or PoC payloads have been released by the researchers or Telegram. The ZDI report does not include any exploit code, and Telegram has not published a technical write‑up. Therefore, the analysis below is based solely on the reported vector and known CVE details.
Impact Assessment
Scope of Exposure
- Users: Every Telegram user on macOS, Android, or iOS who has not yet applied a patch is at risk.
- Enterprise Environments: Organizations that allow Telegram usage on employee devices, especially those with sensitive data, face potential data exfiltration and lateral movement.
- High‑Profile Targets: Public figures, journalists, or corporate executives who rely on Telegram for secure communication are particularly vulnerable due to the zero‑click nature of the exploit.
Real‑World Consequences
- Full System Compromise: Successful exploitation grants the attacker complete control over the victim’s device, enabling data theft, credential harvesting, and persistence.
- Privacy Violations: The MTProto flaw allows reading of private messages, undermining the confidentiality guarantees of the platform.
- Supply‑Chain Risk: If attackers compromise a device, they could use it to infiltrate corporate networks via phishing or credential reuse.
Detection & Response
Log Signatures
| Log Source | Indicator | Description |
|---|---|---|
| Telegram Client Logs | MediaProcessingError |
Unexpected errors during media decoding may indicate exploitation. |
| OS Process Creation | telegram spawning sh or bash |
Unusual child processes launched by the Telegram process. |
| Network Traffic | Outbound connections to unknown IPs from telegram process |
Potential reverse shell activity. |
Network Indicators
- Outbound TCP/UDP to non‑Telegram IPs: The attacker’s reverse shell may connect to a command‑and‑control server.
- Unusual TLS Handshakes: TLS traffic originating from the Telegram process to external domains not in the Telegram whitelist.
Behavioral Patterns
- Sudden CPU/Memory Spike: A compromised Telegram process may exhibit abnormal resource usage.
- Unexpected File System Changes: Creation of hidden files or modification of system binaries.
Illustrative Detection Rule (Illustrative — not tested)
rule: TelegramZeroClickRCE
description: Detect anomalous process creation by Telegram client
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\\Telegram.exe'
CommandLine: '*sh*' OR '*bash*'
condition: selection
falsepositives:
- Legitimate scripting by Telegram
level: high
Mitigation & Remediation
| Priority | Action | Description |
|---|---|---|
| 1 | Disable Automatic Media Downloads | In Telegram settings → Advanced → Disable “Auto‑download media.” This prevents the client from automatically processing malicious files. |
| 2 | Apply Official Patch | Once Telegram releases a fix (exact version TBD), update all client installations immediately. |
| 3 | Endpoint Protection | Ensure anti‑virus and EDR solutions are enabled and updated; many solutions flag anomalous process creation from Telegram. |
| 4 | Network Segmentation | Restrict outbound traffic from user devices to known Telegram domains only; block unknown destinations. |
Workaround Until Patch Availability
- macOS: Manually delete the
Telegram.appbundle and reinstall the latest version from the official site once available. - Android/iOS: Uninstall and reinstall the app; avoid installing from third‑party stores.
Timeline
- 26 March 2026 – Vulnerability reported to Telegram developers.
- 24 July 2026 – Public disclosure deadline set by ZDI.
Sources & References
- Daily CyberSecurity – Telegram Critical Zero‑Click Vulnerability ZDI‑CAN‑30207
- Anti‑Malware.ru – Telegram получил четыре месяца на исправление критической уязвимости
- Kod.ru – В Telegram обнаружена критическая уязвимость нулевого дня
- The Cyber Express – TelegramDismisses Claims of ‘High‑risk’ RCE Bug in its Desktop…
- LinkedIn – Critical Vulnerability Found in Telegram’s MTProto Protocol
Sources
- CRITICAL ALERT: Telegram Vulnerability “ZDI-CAN-30207” Exposes Users to Zero-Click Attacks
- Üfff zeroclick RCE. Ortalık karışık vaziyet alın
- Telegram получил четыре месяца на исправление критической уязвимости
- В Telegram обнаружена критическая уязвимость нулевого дня
- TelegramDismisses Claims of ‘High-risk’ RCE Bug in its Desktop...
- "CriticalVulnerabilityFound inTelegram's MTProto Protocol | LinkedI...