Back to Home

ZDI-CAN-30207 Vulnerability in Telegram: CVSS 9.8 analysis

Zero-day ZDI-CAN-30207 vulnerability discovered in Telegram with CVSS 9.8. Attack vector allows remote RCE without privileges and interaction. Breakdown of metrics and recommendations for specialists.

Zero-day in Telegram: ZDI-CAN-30207 with CVSS 9.8 and RCE
Advertisement 728x90

ZDI-CAN-30207 Vulnerability in Telegram: CVSS v4 Analysis and Attack Vector

Zero Day Initiative has published an advisory on a zero-day vulnerability in Telegram identified as ZDI-CAN-30207. TrendAI researcher Michael DePlante (izobashi) discovered the issue, which scores 9.8/10 on CVSS v4. The attack vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signals high danger: remote code execution without user interaction.

The vulnerability impacts confidentiality (C:H), integrity (I:H), and availability (A:H), pointing to potential arbitrary code execution. Telegram has 120 days to patch under ZDI rules, but the criticality could accelerate the release.

CVSS Attack Vector Breakdown

The attack vector outlines the vulnerability's characteristics:

Google AdInline article slot
  • AV:N — Attack Vector: Network. Exploitation is possible remotely over the network, without physical access.
  • AC:L — Attack Complexity: Low. Low complexity—no special conditions or tools required.
  • PR:N — Privileges Required: None. The attack requires no account or privileges.
  • UI:N — User Interaction: None. No victim interaction needed—just receiving the data.
  • S:U — Scope: Unchanged. Impact is limited to the vulnerable component.
  • C:H/I:H/A:H — high impact on the CIA triad.

This combination makes the vulnerability perfect for mass attacks: RCE over the network with no clicks required.

| CVSS Metric | Value | Description |

|-------------|--------|-------------|

Google AdInline article slot

| AV | N | Network attack |

| AC | L | Low complexity |

| PR | N | No privileges |

Google AdInline article slot

| UI | N | No interaction |

| S | U | Unchanged scope |

| C/I/A | H | High impact |

Criticality Assessment and Consequences

The 9.8/10 score places the vulnerability in the critical category (9.0–10.0). For mid- and senior-level developers, key points include:

  • RCE potential: C:H/I:H/A:H—leads to arbitrary code execution in 99% of cases.
  • Scale: Affects all Telegram platforms without authentication.
  • Time window: 120 days is the ZDI standard, but Telegram may act faster.
  • Mitigation: Avoid suspicious links or files until the patch; monitor for updates.

No public PoCs are available yet, reducing immediate risk, but its ZDI listing indicates a genuine threat.

Key Points

  • ZDI-CAN-30207 vulnerability in Telegram has a CVSS score of 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
  • Enables remote code execution without user interaction.
  • Discovered by Michael DePlante (TrendAI/izobashi) via Zero Day Initiative.
  • Telegram has 120 days to fix; keep an eye on updates.
  • Recommendation: Audit network traffic and apply patches promptly.

— Editorial Team

Advertisement 728x90

Read Next