Key Takeaway
CVE-2024-7014 is a reported critical remote code execution vulnerability in Telegram Messenger with a CVSS score of 9.8, allegedly triggered by a malicious or corrupted sticker file. Telegram has denied the vulnerability exists, leaving the disclosure unconfirmed by the vendor. Security teams should apply latest Telegram client updates, disable automatic media downloads, and monitor NVD for record updates while the dispute remains unresolved.
CVE-2024-7014 | Telegram Messenger | CVSS 9.8 (Critical)
A critical vulnerability tracked as CVE-2024-7014 has been published against Telegram Messenger, carrying a CVSS v3 base score of 9.8. The flaw is described as being triggered by a specially crafted or corrupted sticker file transmitted through the messaging application. Telegram has publicly denied that the vulnerability exists.
Technical Description
The reported vulnerability is classified as a remote code execution (RCE) flaw with no authentication required and no user interaction specified in the initial disclosure. A CVSS score of 9.8 places this in the Critical tier, reflecting a network-based attack vector, low attack complexity, no privileges required, and high impact across confidentiality, integrity, and availability.
The attack vector, as described by the researcher who submitted the CVE, involves a corrupted sticker object delivered within the Telegram chat interface. The sticker payload allegedly triggers unsafe memory handling or improper input validation in the client-side rendering pipeline, potentially allowing arbitrary code execution on the target device. The specific memory corruption class — whether heap overflow, use-after-free, or out-of-bounds write — has not been confirmed in the public CVE record.
The affected product scope has not been narrowly defined in the public disclosure. Telegram operates clients across Android, iOS, Windows, macOS, and Linux, and the advisory does not specify which platform or client version is affected.
Telegram's Response
Telegram has issued a denial, stating the vulnerability does not exist in its platform. The company has not published a formal security advisory, patch notes referencing CVE-2024-7014, or a bug bounty acknowledgment tied to this report. This creates a conflict between the CVE record and the vendor's stated position — a situation that complicates enterprise risk assessment.
This is not the first time Telegram has faced scrutiny over client-side vulnerabilities. In 2024, a separate zero-day dubbed "EvilVideo" (also affecting Telegram for Android) was confirmed exploited in the wild and sold on underground forums before Telegram patched it. That vulnerability allowed attackers to disguise malicious APK files as video content. CVE-2024-7014 follows a similar social-engineering delivery mechanism — abusing Telegram's media-sharing features.
Real-World Impact
If the vulnerability is genuine and exploitable as described, the attack surface is substantial. Telegram reports over 900 million monthly active users. A zero-click or low-interaction RCE delivered via sticker — a feature used across all client platforms — would represent a high-value initial access vector.
Organizations that permit Telegram on corporate devices or use it for internal communications face direct exposure. Threat groups with a history of targeting messaging platforms, including state-sponsored actors who have previously weaponized WhatsApp and Signal vulnerabilities, would likely prioritize a verified exploit at this severity level.
The lack of confirmed exploitation in the wild, combined with Telegram's denial, means defenders cannot currently rely on threat intelligence feeds or endpoint detection signatures built around observed attack patterns.
Affected Versions
No specific version range has been confirmed vulnerable. The CVE record does not currently list a CPE (Common Platform Enumeration) entry restricting the scope to a particular Telegram client version or operating system build.
Patching and Mitigation Guidance
1. Monitor Telegram's official security channel. Telegram publishes security notices at https://t.me/telegram. Watch for any update that references sticker handling, media parsing, or client-side rendering fixes.
2. Apply all available Telegram client updates immediately. Regardless of CVE-2024-7014's disputed status, running the latest version of any Telegram client reduces exposure to known and patched vulnerabilities. As of the time of this advisory, update to the latest stable release across all platforms.
3. Restrict Telegram on managed endpoints. SOC teams and endpoint administrators should evaluate whether Telegram is necessary on corporate assets. If not required, block installation via MDM or application control policies.
4. Disable automatic media download. In Telegram client settings, users can disable automatic downloading of photos, videos, and files. Requiring manual interaction before media renders reduces the passive attack surface while the vulnerability status remains unresolved.
5. Monitor for anomalous process behavior. If Telegram clients are permitted on managed systems, configure EDR rules to flag unusual child processes spawned from the Telegram executable. RCE via media parsing typically results in shell or interpreter processes being launched under the application process tree.
6. Track NVD and vendor updates. The National Vulnerability Database entry for CVE-2024-7014 should be monitored for enrichment, including CVSS vector refinement, affected version ranges, and CWE classification. Telegram's continued silence or an eventual confirmation will materially change the risk calculation.
Until Telegram provides independent verification or a credible third-party researcher reproduces the exploit, treat this vulnerability as unconfirmed but warranting precautionary controls given the severity score and the plausibility of media-parsing attack vectors on the platform.
Original Source
Dark Reading
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.