Cyber Resilience

CVE-2025-52572

Critical

Published: 24 June 2025

Published
24 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0137 80.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52572 is a critical-severity Improper Authentication (CWE-287) vulnerability in T (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Hikka, a Telegram userbot, contains an improper authentication vulnerability (CWE-287) that affects all versions and all users. The flaw centers on the web interface, which can be left in a dangling state or presented with insufficient warnings during Telegram authorization, allowing unauthorized access to the underlying server and user accounts.

An attacker can exploit the issue in two ways. Without an active authenticated session, the attacker authorizes with their own Telegram account through the exposed interface to obtain remote code execution on the server. When a session already exists, users may be tricked into approving the web application in the helper bot due to weak messaging, granting the attacker both remote code execution and full access to the owner's Telegram account. The second scenario has been observed in real-world exploitation.

Advisories recommend several workarounds since no patches are available: launch the userbot exclusively with the --no-web flag, close the listening port after any web authorization, and avoid clicking "Allow" in the helper bot unless the action is explicitly initiated by the owner. The referenced GitHub security advisory and related Telegram disclosure detail these steps.

The EPSS score has remained flat at 0.0137 with no material increase after disclosure.

EU & UK References

Vulnerability details

Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server…

more

by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

T
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References