CVE-2025-52572
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-06-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52572 is a critical remote code execution vulnerability in the Hikka Telegram userbot affecting all versions up to 1.7.0-wip. It can be exploited in two ways: 1) If the web interface is unauthenticated, an attacker can use their Telegram account to gain remote code execution on the server by authorizing through the dangling web interface. 2) If the web interface is authenticated, insufficient warnings in the authentication prompt have caused users to inadvertently grant attackers remote code execution and control over their Telegram accounts. This second scenario has been exploited in the wild. No patches exist, but workarounds include disabling the web interface with the `--no-web` flag, closing the server port after authorization, and avoiding clicking "Allow" unless explicitly intended. [1]
How can this vulnerability impact me? :
This vulnerability can lead to complete remote code execution on the server running the Hikka userbot, allowing attackers to execute arbitrary code. Additionally, attackers can gain full control over the Telegram accounts of the userbot owners. The impact includes full compromise of confidentiality, integrity, and availability of the affected system and accounts, potentially leading to data theft, service disruption, and unauthorized actions performed via the compromised Telegram accounts. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying if the Hikka userbot is running with the web interface enabled and if the web interface port is open and accessible. Since the vulnerability involves a dangling web interface, you can scan for open ports commonly used by Hikka's web interface (default or configured port). For example, use network scanning tools like nmap to detect open ports on the server hosting Hikka. Additionally, check the running processes or service startup parameters to see if the userbot is started without the `--no-web` flag. Commands to consider: 1) `netstat -tuln | grep <port>` to check if the web interface port is open; 2) `ps aux | grep hikka` to check if the userbot is running with web interface enabled; 3) `nmap -p <port> <server-ip>` to scan the port from a remote system. Monitoring logs for unauthorized authorization attempts on the web interface may also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Start the Hikka userbot with the `--no-web` flag to disable the vulnerable web interface; 2) If you need to authorize via the web interface, do so carefully, then immediately close the server port used by the web interface to prevent unauthorized access; 3) Avoid clicking "Allow" in the "Allow web application ops" menu unless you explicitly intend to grant permissions; 4) Monitor for suspicious activity related to the userbot and Telegram accounts. Since no patches are available, these workarounds are critical to reduce risk. [1]