ZDI-CAN-30207 Vulnerability in Telegram: CVSS v4 Analysis and Attack Vector
Zero Day Initiative has published an advisory on a zero-day vulnerability in Telegram identified as ZDI-CAN-30207. TrendAI researcher Michael DePlante (izobashi) discovered the issue, which scores 9.8/10 on CVSS v4. The attack vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signals high danger: remote code execution without user interaction.
The vulnerability impacts confidentiality (C:H), integrity (I:H), and availability (A:H), pointing to potential arbitrary code execution. Telegram has 120 days to patch under ZDI rules, but the criticality could accelerate the release.
CVSS Attack Vector Breakdown
The attack vector outlines the vulnerability's characteristics:
- AV:N — Attack Vector: Network. Exploitation is possible remotely over the network, without physical access.
- AC:L — Attack Complexity: Low. Low complexity—no special conditions or tools required.
- PR:N — Privileges Required: None. The attack requires no account or privileges.
- UI:N — User Interaction: None. No victim interaction needed—just receiving the data.
- S:U — Scope: Unchanged. Impact is limited to the vulnerable component.
- C:H/I:H/A:H — high impact on the CIA triad.
This combination makes the vulnerability perfect for mass attacks: RCE over the network with no clicks required.
| CVSS Metric | Value | Description |
|-------------|--------|-------------|
| AV | N | Network attack |
| AC | L | Low complexity |
| PR | N | No privileges |
| UI | N | No interaction |
| S | U | Unchanged scope |
| C/I/A | H | High impact |
Criticality Assessment and Consequences
The 9.8/10 score places the vulnerability in the critical category (9.0–10.0). For mid- and senior-level developers, key points include:
- RCE potential: C:H/I:H/A:H—leads to arbitrary code execution in 99% of cases.
- Scale: Affects all Telegram platforms without authentication.
- Time window: 120 days is the ZDI standard, but Telegram may act faster.
- Mitigation: Avoid suspicious links or files until the patch; monitor for updates.
No public PoCs are available yet, reducing immediate risk, but its ZDI listing indicates a genuine threat.
Key Points
- ZDI-CAN-30207 vulnerability in Telegram has a CVSS score of 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Enables remote code execution without user interaction.
- Discovered by Michael DePlante (TrendAI/izobashi) via Zero Day Initiative.
- Telegram has 120 days to fix; keep an eye on updates.
- Recommendation: Audit network traffic and apply patches promptly.
— Editorial Team
No comments yet.