好的,我现在需要帮用户总结一篇文章,控制在100字以内。首先,我得仔细阅读文章内容,抓住主要信息。 文章讲的是Telegram被曝出一个零日漏洞,允许攻击者在无需用户互动的情况下远程执行代码。研究人员Michael DePlante通过ZDI披露了这个漏洞,编号ZDI-CAN-30207,CVSS评分9.8,属于严重级别。攻击者只需发送恶意动图贴纸就能触发漏洞,影响Android和Linux用户。 不过,Telegram否认了这一漏洞的存在,称所有贴纸在服务器端都会经过验证,无法作为攻击载体。目前还没有补丁发布,漏洞细节也没有公开。意大利的ACN也报告了这一点,并建议企业用户限制新联系人的消息接收。 接下来,我需要将这些信息浓缩到100字以内。重点包括:Telegram被曝零日漏洞、无需用户操作、发送恶意动图即可控制设备、影响的平台、Telegram否认漏洞存在、尚未修复以及可能带来的安全风险。 要注意用词简洁明了,避免冗长的解释。同时,确保涵盖所有关键点:漏洞的存在、影响范围、攻击方式、Telegram的回应以及当前的状态。 最后检查一下字数是否符合要求,并确保语句通顺自然。 </think> Telegram被曝存在未修复的零日漏洞,允许攻击者通过发送恶意动图贴纸远程控制设备。该漏洞影响Android和Linux用户,无需用户互动即可执行代码。尽管研究人员披露了这一高危漏洞(CVSS评分9.8),但Telegram否认其存在,并称所有贴纸均经过服务器端验证以防止恶意文件攻击。目前尚无补丁修复此问题。 2026-3-30 14:7:27 Author: securityaffairs.com(查看原文) 阅读量:7 收藏
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies
A critical Telegram flaw could allow zero-click remote code execution on devices, but Telegram denies it.
Researcher Michael DePlante (@izobashi) of TrendAI Zero Day disclosed a new Telegram vulnerability through Zero Day Initiative (ZDI).
The vulnerability, tracked as ZDI-CAN-30207 (CVSS score of 9.8) allows attackers to execute code on targeted devices without any user interaction. This vulnerability is especially dangerous because an attacker can exploit it simply by sending a malicious animated sticker, with no action required from the victim. The vulnerability lies in how Telegram automatically processes media to generate previews, allowing crafted files to trigger code execution.
The flaw poses a serious security risk, especially as no patch is currently available, raising concerns across the cybersecurity community.
The vulnerability affects Telegram on Android and Linux; if exploited, it allows attackers to take full control of a device.
At this time it is unclear if threat actors have already exploited it in attacks in the wild.
The Zero Day Initiative did not disclose technical details about the vulnerability to give the company time to address it by July 24, 2026.
The Italian National Cybersecurity Agency (ACN) reported that Telegram has denied the disclosed zero-click vulnerability, stating it does not exist. The company says all stickers are validated server-side before delivery, preventing malicious files from being used as an attack vector and making code execution via stickers technically impossible.
“Following direct discussions, Telegram Messenger has formally denied the existence of the previously reported zero-click vulnerability, stating that the flaw does not exist. The vendor claims that every sticker uploaded to the platform undergoes mandatory validation on its servers before being distributed to client applications.” reads an update published on the ACN’s advisory. “According to this official position, the centralized filtering process prevents corrupted stickers from being used as an attack vector, making it technically impossible to execute malicious code through this method.”
As a mitigation measure, Telegram Business users can limit incoming messages from new contacts. In Settings → Privacy and Security → Messages, they can restrict messages to saved contacts or Premium users only.
Exploits targeting popular platforms like Telegram can be worth millions on underground markets, and threat actors can quickly weaponize them.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
如有侵权请联系:admin#unsafe.sh