PT-2025-26780 · Telegram · Hikka
Hikariatama
·
Published
2025-06-24
·
Updated
2025-12-08
·
CVE-2025-52572
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Hikka versions all
Description:
The issue affects all users on all versions of Hikka, a Telegram userbot. Two scenarios are possible:
- If the web interface does not have an authenticated session, an attacker can use their own Telegram account to gain remote code execution (RCE) to the server by authorizing in the dangling web interface.
- If the web interface does have an authenticated session, due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu, giving an attacker access not only to RCE but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild.
Recommendations:
Use the
--no-web flag and do not start the userbot without it.
After authorizing in the web interface, close the port on the server and/or start the userbot with the --no-web flag.
Do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.Exploit
Fix
RCE
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hikka