Critical Telegram vulnerability ZDI-CAN-30207 (CVSS 9.8) allows remote code execution via crafted messages, affecting all 700M+ users across all platforms.
Michael Deplant found ZDI-CAN-30207 on March 27, 2026 — a Telegram vulnerability with a CVSS 9.8 score that lets attackers run code remotely through crafted messages.
No authentication needed. Attackers can execute arbitrary code on any Telegram user's device: Windows, macOS, iOS, and Android. That's roughly 700 million users at risk.
The flaw is in Telegram's message processing engine. Corrupted memory handling means a crafted message can execute code without any user interaction. Receiving the message is enough to trigger it — no clicking required.
For businesses, this means compromised communications, stolen trade secrets, and account takeovers. Attackers can read conversations, impersonate users, and maintain persistent access.
What to do right now:
- Update Telegram immediately
- Enable two-factor authentication
- Monitor for suspicious activity on corporate accounts
- Consider alternative platforms for sensitive communications
Patch this one fast. CVSS 9.8, zero interaction needed, and 700 million potential targets is a rough combination.
