CVE-2025-52572
Published: 24 June 2025
Summary
CVE-2025-52572 is a critical-severity Improper Authentication (CWE-287) vulnerability in T (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Hikka, a Telegram userbot, contains an improper authentication vulnerability (CWE-287) that affects all versions and all users. The flaw centers on the web interface, which can be left in a dangling state or presented with insufficient warnings during Telegram authorization, allowing unauthorized access to the underlying server and user accounts.
An attacker can exploit the issue in two ways. Without an active authenticated session, the attacker authorizes with their own Telegram account through the exposed interface to obtain remote code execution on the server. When a session already exists, users may be tricked into approving the web application in the helper bot due to weak messaging, granting the attacker both remote code execution and full access to the owner's Telegram account. The second scenario has been observed in real-world exploitation.
Advisories recommend several workarounds since no patches are available: launch the userbot exclusively with the --no-web flag, close the listening port after any web authorization, and avoid clicking "Allow" in the helper bot unless the action is explicitly initiated by the owner. The referenced GitHub security advisory and related Telegram disclosure detail these steps.
The EPSS score has remained flat at 0.0137 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19066
Vulnerability details
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server…
more
by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.