Critical Remote Code Execution Vulnerability in Hikka Telegram Userbot

Critical Remote Code Execution Vulnerability in 

 Hikka Telegram Userbot 
Hikka Telegram Userbot

 CVE-2025-52572 is a critical security vulnerability affecting all versions of Hikka, a Telegram userbot. This vulnerability enables remote code execution (RCE) on the server running the userbot and can also lead to compromise of the Telegram accounts of the bot owners. The vulnerability arises from improper authentication and insecure handling of the web interface used by Hikka.

Details of the Vulnerability

Two main attack scenarios are possible:

1. Unauthenticated Web Interface Access
If the Hikka web interface does not have an authenticated session, an attacker can use their own Telegram account to authorize themselves on the dangling web interface. This allows the attacker to gain remote code execution on the server hosting the userbot. Essentially, the attacker hijacks the web interface without needing prior credentials or access.

 

2. Authenticated Web Interface with Insufficient Warning
When the web interface is authenticated, users receive an "Allow web application ops" prompt. Due to insufficient warning messages, users have been tricked into clicking "Allow," which grants attackers not only remote code execution capabilities but also full access to the Telegram accounts of the userbot owners. This second scenario has been confirmed as actively exploited in the wild, making it a high-risk threat.

Impact

  • Remote Code Execution (RCE): Attackers can execute arbitrary code on the server running the userbot, potentially taking full control of the system.
  • Telegram Account Compromise: Attackers can gain unauthorized access to the Telegram accounts of the userbot owners, leading to data theft, impersonation, or further attacks.
  • High Severity: The vulnerability has been assigned a CVSS v3 base score of 10.0 (CRITICAL), reflecting its ease of exploitation and severe impact on confidentiality, integrity, and availability.

No Official Patch Yet 

As of the published date (June 24, 2025), there are no official patches available to fix this vulnerability. The Hikka repository was archived earlier in 2025, and no updates addressing this issue have been released2.

Until an official patch is released, users of Hikka should adopt the following mitigations to reduce risk:

  • Use the --no-web flag: Start the userbot with the --no-web option to disable the web interface entirely. Do not start the userbot without this flag.
  • Close Web Interface Ports: If the web interface must be used temporarily, close the server port immediately after authorizing and then restart the userbot with --no-web.
  • Be Cautious with "Allow" Prompts: Do not click "Allow" in the helper bot's "Allow web application ops" menu unless you explicitly intend to authorize the action.
  • Disable or Restrict Web Interface Access: Consider disabling the web interface or restricting its access to trusted networks only.

Sample Attack Scenario

Scenario 1: Unauthorized RCE via Dangling Web Interface

  • The attacker scans for servers running Hikka with an exposed web interface.
  • Finding a dangling interface without an active authenticated session, the attacker uses their Telegram account to authorize access.
  • Once authorized, the attacker executes arbitrary commands on the server, gaining full control over the userbot and potentially the host system.

Scenario 2: Account Compromise via Misleading Authorization

  • The userbot owner logs into the web interface and receives an "Allow web application ops" prompt.
  • Due to vague or insufficient warning, the user clicks "Allow," unintentionally granting the attacker elevated permissions.
  • The attacker gains remote code execution and access to the owner's Telegram account, enabling further malicious activities such as message interception or spreading malware.

Conclusion

CVE-2025-52572 represents a critical security flaw in Hikka Telegram userbots, allowing attackers to execute remote code and compromise Telegram accounts through improper web interface authentication. With no official patches available, users must rely on strict mitigations such as disabling the web interface (--no-web flag) and exercising extreme caution with authorization prompts. Given the active exploitation in the wild, immediate action is essential to protect affected systems.

Summary of Key Points:

AspectDetails
Affected SoftwareHikka Telegram userbot, all versions
Vulnerability TypeImproper authentication leading to remote code execution
CVSS Score10.0 (Critical)
ImpactRemote code execution, Telegram account compromise
Exploitation StatusActively exploited in the wild
Official PatchNone available
Recommended MitigationsUse --no-web flag, close web interface ports, cautious authorization

This vulnerability underscores the risks of exposed or poorly secured web interfaces in automation tools and the critical need for clear user warnings during authorization processes.


Crow

physics, information technologies, author, educator

Post a Comment

Hello, share your thoughts with us.

Previous Post Next Post

İletişim Formu