EUVD-2025-19066
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use --no-web flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with --no-web flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
AnalysisAI
CVE-2025-52572 is a critical remote code execution vulnerability in Hikka, a Telegram userbot, affecting all versions across all platforms. The vulnerability exists in two exploitation paths: an unauthenticated web interface allowing direct RCE via attacker-controlled Telegram accounts, and an authenticated interface where insufficient UI warnings trick users into granting dangerous permissions, enabling both RCE and Telegram account compromise. Scenario 2 has been actively exploited in the wild, with a CVSS 10.0 score reflecting network-accessible unauthenticated attack paths and complete system compromise potential.
Technical ContextAI
Hikka is a Telegram userbot framework that includes a web interface component for remote management and automation. The vulnerability stems from CWE-287 (Improper Authentication) in two distinct contexts: (1) insufficient or missing authentication checks on the web interface endpoints, allowing any network-adjacent attacker with a Telegram account to authorize and execute arbitrary code on the host system, and (2) inadequate user warnings and consent mechanisms in the OAuth-like permission grant flow ('Allow web application ops'), which social engineers users into authorizing sensitive operations. The root cause is a combination of weak access controls on the web management interface and insufficient friction in the privilege escalation consent process. The web interface likely exposes dangerous operations (code execution, file access, Telegram API token usage) without proper authentication or explicit user confirmation.
RemediationAI
Immediate mitigation (no patches available): (1) Disable web interface entirely: start Hikka with --no-web flag as a permanent configuration to eliminate both unauthenticated and authenticated attack surfaces, (2) Network isolation: firewall the web interface port (typically localhost-only or block externally), restrict access to trusted IPs only, (3) Revoke dangerous permissions: if users have previously clicked 'Allow' in the helper bot's 'Allow web application ops' menu, remove that authorization via Telegram bot settings and do not re-grant it unless actively needed, (4) Account hygiene: rotate Telegram session tokens and review connected applications in Telegram client settings. Long-term: monitor the Hikka GitHub repository (https://github.com/hikarirepo/Hikka) for security patches or version updates that address CWE-287 authentication deficiencies. As of now, no patched versions exist; users must rely entirely on workarounds.
Share
External POC / Exploit Code
Leaving vuln.today