CVE-2024-7014: Critical Telegram RCE Vulnerability Scores 9.8 CVSS — Vendor Disputes Existence

CVE-2024-7014: Critical Telegram RCE Flaw Triggered by Corrupted Sticker File

CVE ID: CVE-2024-7014 Affected Product: Telegram Messenger (cross-platform) CVSS Score: 9.8 (Critical)

---

Vulnerability Overview

CVE-2024-7014 is a reported remote code execution (RCE) vulnerability affecting the Telegram messaging application. According to researchers who disclosed the flaw, the vulnerability is triggered by a specially crafted or corrupted sticker file sent through the Telegram messaging interface. The attack vector is network-based, requires no authentication, and demands no interaction beyond the victim receiving or processing the malicious media file — characteristics that place this vulnerability firmly in critical severity territory.

The CVSS 3.1 base score of 9.8 reflects the following scoring breakdown: the attack vector is Network (AV:N), attack complexity is Low (AC:L), no privileges are required (PR:N), user interaction is None (UI:N), and the scope, confidentiality, integrity, and availability impacts are all rated at their maximum values. These metrics indicate a zero-click or near-zero-click attack path, meaning a remote attacker could potentially achieve code execution on a target device simply by sending a message.

Technical Details

The reported flaw resides in Telegram's media parsing logic — specifically in how the client processes sticker files, which in Telegram's implementation are typically rendered using animated formats such as Lottie (TGS) or WebP. A corrupted or maliciously constructed sticker file could trigger a memory corruption condition, buffer overflow, or improper input validation error in the parsing library, resulting in arbitrary code execution in the context of the Telegram process.

If exploited, an attacker controlling a Telegram account could send a malicious sticker to any user, group, or channel. Depending on the platform and process permissions, successful exploitation could expose stored messages, session tokens, local files, or enable full device compromise on mobile endpoints.

The flaw's network-based, no-authentication attack vector makes it particularly dangerous in group chat scenarios, where a single malicious message could target hundreds or thousands of users simultaneously.

Telegram's Official Position

Telegram has publicly denied that this vulnerability exists in its application. The company has not released a CVE acknowledgment, issued a security advisory, or published a patch tied directly to CVE-2024-7014. Telegram's position is that the reported attack scenario either cannot be reproduced or does not represent a genuine exploitable condition within its production codebase.

This dispute places the vulnerability in an unresolved state from a vendor confirmation standpoint. The CVE has been assigned and recorded in the National Vulnerability Database (NVD), but the absence of vendor validation complicates organizational risk assessments.

Real-World Impact

Telegram has over 900 million monthly active users globally. The platform is widely used by journalists, activists, government personnel, military units, and enterprise teams — populations that represent high-value targets for nation-state and criminal threat groups.

A confirmed, unpatched RCE vulnerability in Telegram would represent one of the most severe messaging application flaws disclosed in recent years. Even with the vendor dispute unresolved, the assigned CVSS score and attack characteristics warrant immediate attention from security teams managing endpoints where Telegram is installed.

Organizations in sensitive sectors — defense, finance, critical infrastructure, government — should treat this advisory with elevated concern regardless of Telegram's denial, given the potential consequences of a successful exploit and the platform's widespread deployment.

Affected Versions

Specific version ranges confirmed as vulnerable have not been publicly enumerated at the time of this advisory. Researchers have not published a full proof-of-concept (PoC) exploit, and Telegram has not provided version-specific impact guidance due to its non-acknowledgment of the flaw.

Patching and Mitigation Guidance

Until Telegram issues an official patch or makes a definitive technical statement, security teams should take the following steps:

1. Update Telegram clients immediately. Ensure all endpoints running Telegram are on the latest available version across Android, iOS, Windows, macOS, and Linux. Telegram releases frequent updates; staying on the current release reduces exposure to known and patched issues even if CVE-2024-7014 is not formally addressed.

2. Restrict Telegram use on sensitive endpoints. On devices handling classified, regulated, or sensitive data, consider restricting or blocking Telegram until this advisory is resolved. Use MDM or EDR policy controls to enforce this.

3. Disable automatic media download. In Telegram settings, disable automatic downloading of photos, videos, and files across all network types (mobile, Wi-Fi, roaming). This reduces the attack surface by preventing automatic processing of inbound media files.

4. Monitor for anomalous Telegram process behavior. Configure EDR rules to flag unusual child process spawning, network connections, or file system writes originating from Telegram executable processes.

5. Apply network-level controls. On managed networks, consider proxying or inspecting Telegram traffic where technically feasible and legally permissible.

6. Track NVD and Telegram's security advisories. Monitor the NVD entry for CVE-2024-7014 and Telegram's official security page at https://telegram.org/blog for any updated vendor guidance.

Security teams should not treat vendor denial as definitive confirmation that a vulnerability is non-exploitable. Independent verification and a defense-in-depth posture remain the appropriate response when a critical CVSS score has been assigned and no technical refutation has been formally published.