Critical Remote Code Execution Vulnerability in
CVE-2025-52572 is a critical security vulnerability affecting all versions of Hikka, a Telegram userbot. This vulnerability enables remote code execution (RCE) on the server running the userbot and can also lead to compromise of the Telegram accounts of the bot owners. The vulnerability arises from improper authentication and insecure handling of the web interface used by Hikka.
Details of the Vulnerability
Two main attack scenarios are possible:
1. Unauthenticated Web Interface AccessIf the Hikka web interface does not have an authenticated session, an attacker can use their own Telegram account to authorize themselves on the dangling web interface. This allows the attacker to gain remote code execution on the server hosting the userbot. Essentially, the attacker hijacks the web interface without needing prior credentials or access.
2. Authenticated Web Interface with Insufficient WarningWhen the web interface is authenticated, users receive an "Allow web application ops" prompt. Due to insufficient warning messages, users have been tricked into clicking "Allow," which grants attackers not only remote code execution capabilities but also full access to the Telegram accounts of the userbot owners. This second scenario has been confirmed as actively exploited in the wild, making it a high-risk threat.
Impact
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server running the userbot, potentially taking full control of the system.
- Telegram Account Compromise: Attackers can gain unauthorized access to the Telegram accounts of the userbot owners, leading to data theft, impersonation, or further attacks.
- High Severity: The vulnerability has been assigned a CVSS v3 base score of 10.0 (CRITICAL), reflecting its ease of exploitation and severe impact on confidentiality, integrity, and availability.
No Official Patch Yet
As of the published date (June 24, 2025), there are no official patches available to fix this vulnerability. The Hikka repository was archived earlier in 2025, and no updates addressing this issue have been released2.
Recommended Workarounds and Mitigations
Until an official patch is released, users of Hikka should adopt the following mitigations to reduce risk:
- Use the
--no-web
flag: Start the userbot with the--no-web
option to disable the web interface entirely. Do not start the userbot without this flag. - Close Web Interface Ports: If the web interface must be used temporarily, close the server port immediately after authorizing and then restart the userbot with
--no-web
. - Be Cautious with "Allow" Prompts: Do not click "Allow" in the helper bot's "Allow web application ops" menu unless you explicitly intend to authorize the action.
- Disable or Restrict Web Interface Access: Consider disabling the web interface or restricting its access to trusted networks only.
Sample Attack Scenario
Scenario 1: Unauthorized RCE via Dangling Web Interface
- The attacker scans for servers running Hikka with an exposed web interface.
- Finding a dangling interface without an active authenticated session, the attacker uses their Telegram account to authorize access.
- Once authorized, the attacker executes arbitrary commands on the server, gaining full control over the userbot and potentially the host system.
Scenario 2: Account Compromise via Misleading Authorization
- The userbot owner logs into the web interface and receives an "Allow web application ops" prompt.
- Due to vague or insufficient warning, the user clicks "Allow," unintentionally granting the attacker elevated permissions.
- The attacker gains remote code execution and access to the owner's Telegram account, enabling further malicious activities such as message interception or spreading malware.
Conclusion
CVE-2025-52572 represents a critical security flaw in Hikka Telegram userbots, allowing attackers to execute remote code and compromise Telegram accounts through improper web interface authentication. With no official patches available, users must rely on strict mitigations such as disabling the web interface (--no-web
flag) and exercising extreme caution with authorization prompts. Given the active exploitation in the wild, immediate action is essential to protect affected systems.
Summary of Key Points:
Aspect | Details |
---|---|
Affected Software | Hikka Telegram userbot, all versions |
Vulnerability Type | Improper authentication leading to remote code execution |
CVSS Score | 10.0 (Critical) |
Impact | Remote code execution, Telegram account compromise |
Exploitation Status | Actively exploited in the wild |
Official Patch | None available |
Recommended Mitigations | Use --no-web flag, close web interface ports, cautious authorization |
This vulnerability underscores the risks of exposed or poorly secured web interfaces in automation tools and the critical need for clear user warnings during authorization processes.