Telegram's 9.8 CVSS Flaw: What No-Click Attacks Mean for Your Business

A Sticker That Could Own Your Device

A corrupted sticker. That's the alleged attack vector behind one of the most alarming vulnerability disclosures of the year. Researchers have identified a critical flaw in the Telegram messaging application that carries a CVSS score of 9.8 out of 10 — the near-maximum rating reserved for vulnerabilities that are remotely exploitable, require no privileges, and demand zero interaction from the victim. The flaw, as reported by Dark Reading, is said to be triggered when a malicious sticker file is delivered to a target through the app. The recipient doesn't tap it, doesn't open it, doesn't do anything. The payload executes regardless. That's the definition of a no-click or zero-click attack. Telegram has pushed back strongly, denying that the vulnerability exists. But here's the problem: the security community doesn't have the luxury of waiting for vendor confirmation before taking the threat seriously. History has shown, repeatedly, that denial is not the same as disproof.

What Is a Zero-Click Vulnerability and Why Is It So Dangerous?

Most cyber attacks rely on human error. A user clicks a phishing link, opens a malicious attachment, or approves a dodgy permission request. Security awareness training, email filtering, and endpoint controls are all built around this assumption: that there's a human in the loop who can be educated, warned, or protected. Zero-click vulnerabilities break that model entirely. In a zero-click attack, the exploit fires the moment a malicious payload reaches the target device — often through a trusted communication channel like a messaging app. The user's inbox, their sticker pack, their notification tray: these become the attack surface. There's no suspicious link to avoid. There's no warning sign to recognise. A CVSS score of 9.8 reflects exactly this danger. The Common Vulnerability Scoring System rates flaws across multiple dimensions: attack vector (network), attack complexity (low), privileges required (none), user interaction (none). When all of those factors align, you get a near-perfect score. Put simply, a 9.8 means an attacker sitting anywhere on the internet could potentially exploit this without any cooperation from the target. For context, the infamous FORCEDENTRY exploit used by NSO Group to deploy Pegasus spyware against journalists and activists was also a zero-click vulnerability — and it weaponised image-rendering libraries in Apple's iMessage. The Telegram sticker mechanism reportedly operates through a similar principle: the app processes the file automatically, and a corrupted file could trigger arbitrary code execution before any human decision is made.

• Zero-click attacks require no action from the victim — not even opening a message
• CVSS 9.8 indicates remote exploitability with no privileges and no user interaction required
• Messaging apps are high-value targets because they're trusted, always-on, and process rich media automatically
• Mobile devices used for business communications sit outside many traditional security controls

Why Telegram's Denial Doesn't End the Conversation

Telegram's position is straightforward: the vulnerability doesn't exist. The company has not published a CVE, has not issued a patch, and has not acknowledged any security advisory related to this specific flaw. That's its right. Vendors dispute vulnerability reports regularly, and not every disclosure is accurate. Researchers make mistakes. Proof-of-concept exploits don't always translate into real-world attack chains. These are fair points. However, there's a pattern worth recognising. When Apple was first confronted with evidence of FORCEDENTRY in 2021, the initial response was measured at best. When WhatsApp patched a zero-click exploit in 2019 (CVE-2019-3568, CVSS 9.8), the disclosure came only after attacks had already been observed in the wild. Vendor denials and delayed acknowledgements are not rare events in the history of zero-click vulnerabilities — they are the norm. The responsible approach for any security team isn't to wait for Telegram to change its position. It's to assess exposure now and apply controls that don't depend on a vendor's self-assessment. That's especially true given Telegram's unique position in the threat landscape. The platform has over 900 million monthly active users as of 2024, according to Telegram's own published figures. It is used extensively by businesses, activists, journalists, and — notably — by threat actors themselves. Kyanite Blue's own threat intelligence monitoring consistently surfaces Telegram channels being used to distribute malware, sell stolen credentials, and coordinate ransomware operations.

How Does This Affect UK and NZ Businesses Specifically?

Telegram is not a fringe application. In many sectors — construction, logistics, financial services, professional services — it has become a legitimate business communication tool, particularly for teams with international contacts or a preference for encrypted messaging. For UK businesses operating under the UK GDPR framework, and for New Zealand organisations subject to the Privacy Act 2020, a zero-click compromise of an employee device used for business communications could constitute a notifiable data breach. The Information Commissioner's Office (ICO) requires notification within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms. The Office of the Privacy Commissioner in New Zealand operates under similar notification obligations. Here's the practical risk profile: An attacker who can achieve remote code execution on a device via Telegram has effectively gained a foothold on that device. From there, they can access stored credentials, intercept communications, exfiltrate documents, or pivot to corporate systems the device connects to. If that device is enrolled in a mobile device management (MDM) system and connected to corporate email or cloud storage, the blast radius expands considerably. For organisations in Australasia using ESET's enterprise endpoint protection, it's worth reviewing whether mobile threat defence policies extend to communication applications and their file-processing behaviours. Endpoint protection that covers laptops but leaves mobile devices unmonitored is a gap that attacks like this are designed to exploit. You can explore ESET's enterprise capabilities for the NZ and Australian markets on our dedicated pages at /new-zealand and /australia.

• UK GDPR requires breach notification to the ICO within 72 hours of awareness
• New Zealand's Privacy Act 2020 mandates notification of serious privacy breaches to the OPC
• A compromised mobile device connected to corporate systems extends the attack surface significantly
• Telegram is used across professional sectors as a legitimate communication tool, not just by consumers

What Defences Should Be in Place Right Now?

The honest answer is that no single control stops a zero-click exploit on a messaging application if the underlying vulnerability is genuine and unpatched. But that's not the same as being defenceless. Defence in depth exists precisely for scenarios where one layer fails. First, attack surface visibility. If you don't know which devices in your organisation run Telegram, you can't assess your exposure. Tools like Hadrian's continuous attack surface management provide an outside-in view of your digital footprint — identifying what's exposed, what's internet-facing, and where risks are concentrating before an attacker maps them for you. See more at /products/hadrian. Second, data exfiltration controls. A successful zero-click exploit typically leads to one of two outcomes: ransomware deployment or data theft. BlackFog's anti-data exfiltration technology operates at the device level to prevent unauthorised data leaving the endpoint, regardless of the method an attacker uses to initiate the transfer. That's a meaningful backstop when perimeter controls haven't detected the initial compromise. Learn more at /products/blackfog. Third, managed detection and response. The window between initial compromise and damage is measured in hours in most ransomware cases — IBM's 2023 Cost of a Data Breach Report found the average time to identify a breach was 204 days. That gap closes dramatically with 24/7 monitoring. Sophos MDR provides continuous threat hunting and response across endpoints, networks, and cloud environments, and can identify anomalous behaviour that follows a device compromise even if the initial exploit goes undetected. Fourth, unified endpoint and email security. For UK businesses, Coro provides a single platform covering endpoint, email, and cloud security. If Telegram on a managed device begins behaving unusually following a suspected exploit — reaching out to command-and-control infrastructure, accessing the file system in unexpected ways — endpoint telemetry should surface that activity. Finally, practical housekeeping: restrict Telegram on corporate devices where there's no business justification for it, ensure auto-download of media is disabled in Telegram's settings (this is configurable and limits automated file processing), and keep the application updated the moment a patch is released.

• Disable automatic media download in Telegram settings: Settings > Privacy and Security > Auto-Download Media
• Apply mobile device management policies that restrict or monitor communication applications on corporate devices
• Ensure endpoint protection covers mobile devices, not just laptops and desktops
• Review and test incident response procedures for a zero-click mobile compromise scenario
• Monitor for anomalous outbound connections from devices where Telegram is installed

The Bigger Pattern: Why Messaging Apps Are the New Email

Email security has matured considerably over the past decade. Organisations invest in gateway filtering, sandboxing, anti-phishing controls, and user awareness training. Attackers have noticed. The path of least resistance has shifted. Messaging applications — Telegram, WhatsApp, Signal, Slack, Teams — now carry the same operational weight that email did a decade ago. They transmit files, links, credentials, and sensitive discussions. Yet many organisations apply none of the same scrutiny to them that they apply to email. The Telegram flaw, whether or not it proves to be genuine, is a signal. Messaging platforms process rich media, execute code to render content, and operate in a trusted context on devices that also hold corporate data. They are, structurally, a significant attack surface. Threat actors already understand this. The use of messaging platforms for initial access and command-and-control has grown steadily across threat actor groups tracked by major intelligence providers. A platform with 900 million users and end-to-end encryption for certain message types is operationally attractive to both defenders and attackers. The organisations that come through the next wave of messaging-platform attacks intact won't be those that waited for a CVE to be confirmed. They'll be those that treated their communication tooling with the same rigour they apply to their email stack and their network perimeter.

What Should You Do This Week?

You don't need to wait for Telegram to publish a patch or acknowledge the vulnerability to take sensible precautions. The following steps are low-cost, immediately actionable, and defensible regardless of how this specific disclosure resolves. Audit Telegram usage across your organisation. Understand whether it's on corporate devices, whether it's used for business communications, and whether auto-download settings are enabled. That audit takes less than a day and gives you an accurate picture of your exposure. Review your mobile endpoint protection. If your endpoint security doesn't extend to mobile devices or doesn't monitor the behaviour of applications like Telegram, that's a gap worth addressing before the next zero-click disclosure — not after. Test your detection and response capability. If a device on your network were silently compromised tonight, how long would it take your team to detect anomalous behaviour? If the honest answer is 'we don't know,' that's the gap Sophos MDR is built to close. If you'd like a review of your current exposure to mobile and messaging application threats, Kyanite Blue's team can help. Contact us to discuss how we approach attack surface management and endpoint protection for organisations across the UK, New Zealand, and Australia.

Frequently Asked Questions