Critical Remote Code Execution Vulnerability in

Hikka Telegram Userbot

CVE-2025-52572 is a critical security vulnerability affecting all versions of Hikka, a Telegram userbot. This vulnerability enables remote code execution (RCE) on the server running the userbot and can also lead to compromise of the Telegram accounts of the bot owners. The vulnerability arises from improper authentication and insecure handling of the web interface used by Hikka.

Details of the Vulnerability

Two main attack scenarios are possible:

1. Unauthenticated Web Interface Access
If the Hikka web interface does not have an authenticated session, an attacker can use their own Telegram account to authorize themselves on the dangling web interface. This allows the attacker to gain remote code execution on the server hosting the userbot. Essentially, the attacker hijacks the web interface without needing prior credentials or access.

2. Authenticated Web Interface with Insufficient Warning
When the web interface is authenticated, users receive an "Allow web application ops" prompt. Due to insufficient warning messages, users have been tricked into clicking "Allow," which grants attackers not only remote code execution capabilities but also full access to the Telegram accounts of the userbot owners. This second scenario has been confirmed as actively exploited in the wild, making it a high-risk threat.

Impact

Remote Code Execution (RCE): Attackers can execute arbitrary code on the server running the userbot, potentially taking full control of the system.
Telegram Account Compromise: Attackers can gain unauthorized access to the Telegram accounts of the userbot owners, leading to data theft, impersonation, or further attacks.
High Severity: The vulnerability has been assigned a CVSS v3 base score of 10.0 (CRITICAL), reflecting its ease of exploitation and severe impact on confidentiality, integrity, and availability.

No Official Patch Yet

As of the published date (June 24, 2025), there are no official patches available to fix this vulnerability. The Hikka repository was archived earlier in 2025, and no updates addressing this issue have been released2.

Recommended Workarounds and Mitigations

Until an official patch is released, users of Hikka should adopt the following mitigations to reduce risk:

Use the --no-web flag: Start the userbot with the --no-web option to disable the web interface entirely. Do not start the userbot without this flag.
Close Web Interface Ports: If the web interface must be used temporarily, close the server port immediately after authorizing and then restart the userbot with --no-web.
Be Cautious with "Allow" Prompts: Do not click "Allow" in the helper bot's "Allow web application ops" menu unless you explicitly intend to authorize the action.
Disable or Restrict Web Interface Access: Consider disabling the web interface or restricting its access to trusted networks only.

Sample Attack Scenario

Scenario 1: Unauthorized RCE via Dangling Web Interface

The attacker scans for servers running Hikka with an exposed web interface.
Finding a dangling interface without an active authenticated session, the attacker uses their Telegram account to authorize access.
Once authorized, the attacker executes arbitrary commands on the server, gaining full control over the userbot and potentially the host system.

Scenario 2: Account Compromise via Misleading Authorization

The userbot owner logs into the web interface and receives an "Allow web application ops" prompt.
Due to vague or insufficient warning, the user clicks "Allow," unintentionally granting the attacker elevated permissions.
The attacker gains remote code execution and access to the owner's Telegram account, enabling further malicious activities such as message interception or spreading malware.

Conclusion

CVE-2025-52572 represents a critical security flaw in Hikka Telegram userbots, allowing attackers to execute remote code and compromise Telegram accounts through improper web interface authentication. With no official patches available, users must rely on strict mitigations such as disabling the web interface (--no-web flag) and exercising extreme caution with authorization prompts. Given the active exploitation in the wild, immediate action is essential to protect affected systems.

Summary of Key Points:

Aspect	Details
Affected Software	Hikka Telegram userbot, all versions
Vulnerability Type	Improper authentication leading to remote code execution
CVSS Score	10.0 (Critical)
Impact	Remote code execution, Telegram account compromise
Exploitation Status	Actively exploited in the wild
Official Patch	None available
Recommended Mitigations	Use `--no-web` flag, close web interface ports, cautious authorization

This vulnerability underscores the risks of exposed or poorly secured web interfaces in automation tools and the critical need for clear user warnings during authorization processes.

Trending

Critical Security Vulnerabilities in Dell ControlVault3 Firmware

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

Remote Code Execution in EV Charging Stations

Critical CSRF Vulnerability in Siemens SIMATIC S7-1200 PLCs: Exploitation and Defense

2025 Vulnerabilities in Real Estate Software

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Critical Remote Code Execution Vulnerability in Hikka Telegram Userbot