CVE-2025-52572CRITICAL 10.0EPSS p44.9%

CVE-2025-52572CVE-2025-52572

Description

Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.62% probability of exploitation · percentile 44.9% · 2026-06-18T12:00:27Z
Published2025-06-24
Last modified2026-04-15

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj
  2. https://t.me/bbcode/9

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-52571
CVE
CVE-2025-39247
CVE
CVE-2026-28454
CVE
CVE-2026-40525
CVE
CVE-2025-57282
CVE
CVE-2025-57483
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.