CRITICAL 3 min read 29 Mar 2026

Telegram Zero-Click — Unauthenticated Account Takeover (ZDI-CAN-30207)

A critical zero-click RCE vulnerability (CVSS 9.8) discovered by ZDI enables unauthenticated account takeover and potential system hijack on Telegram. This flaw directly compromises secure communication channels across desktop and mobile platforms.

Key findings
01
Finding: Telegram Zero-Click RCE (ZDI-CAN-30207)
HIGH
[High] Confidence: High Researchers at the Zero Day Initiative (ZDI) have found a critical remote code execution (RCE) flaw in Telegram. It is an unauthenticated, "zero-click" vulnerability, meaning an attacker can take over an account or even the host device without the user ever interacting with a message.
02
Finding: F5 BIG-IP APM RCE (CVE-2025-53521)
CRITICAL
[High] Confidence: High The F5 BIG-IP Access Policy Manager (APM) flaw (CVE-2025-53521) has been reclassified. What was previously thought to be a simple Denial of Service (DoS) is actually a full Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8.
CVE-2025-53521
03
Finding: Storm-2561 SEO Poisoning & Spoofed VPN Clients
HIGH
[High] Confidence: High Microsoft is tracking a campaign by a group called Storm-2561. They are using SEO poisoning to make fake VPN installers for Ivanti, Cisco, and Fortinet show up in search results.
04
Finding: AI-Native Security — Happy DOM & OpenHands
HIGH
[Medium] Confidence: Medium We are seeing a new wave of vulnerabilities targeting AI infrastructure. Happy DOM (CVE-2026-33943) has a code injection flaw that triggers during web-scraping or server-side rendering.
CVE-2026-33943
05
Update: European Commission Breach (ShinyHunters)
HIGH
[High] Confidence: High The European Commission breach has been tied to the ShinyHunters group. They stole 350GB of data, including DKIM signing keys and an SSO directory for nearly 1,800 users.
06
Update: Cisco Secure FMC Zero-Day (CVE-2026-20131)
HIGH
[High] Confidence: High The "Interlock" ransomware group has been exploiting CVE-2026-20131 since January. This was a 60-day blind spot where unauthenticated attackers could gain root access via Java deserialisation.
CVE-2026-20131
07
Update: telnetd Buffer Overflow (CVE-2026-32746)
HIGH
[High] Confidence: High Python-based exploit scripts for a 32-year-old telnetd buffer overflow are now all over GitHub. This is essentially "democratising" the ability to attack legacy systems—making it easy for even low-skilled actors to compromise older infrastructure that hasn't been decommissioned yet.
CVE-2026-32746

Telegram Zero-Click — Unauthenticated Account Takeover (ZDI-CAN-30207)

Finding: Telegram Zero-Click RCE (ZDI-CAN-30207)

Confidence: High

Researchers at the Zero Day Initiative (ZDI) have found a critical remote code execution (RCE) flaw in Telegram. It is an unauthenticated, "zero-click" vulnerability, meaning an attacker can take over an account or even the host device without the user ever interacting with a message. While the full technical details are currently under a 120-day disclosure window (lasting until July 2026), the risk to sensitive corporate communication is immediate.

This bypasses standard security advice like "don't click links" or "don't open attachments." Because it requires no user action, it is a perfect tool for surveillance and industrial espionage. If your organisation uses Telegram for anything sensitive, you should strongly consider restricting its use until a verified patch is confirmed and deployed.

Finding: F5 BIG-IP APM RCE (CVE-2025-53521)

Confidence: High

The F5 BIG-IP Access Policy Manager (APM) flaw (CVE-2025-53521) has been reclassified. What was previously thought to be a simple Denial of Service (DoS) is actually a full Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog on 28 March, confirming that it is being used in the wild right now.

The bug lets unauthenticated attackers run commands on internet-facing gateways. Since BIG-IP APM is often the first line of defence for remote access, this is a major problem for any corporate perimeter. If you run these instances, patching is no longer optional—it is an emergency.

Finding: Storm-2561 SEO Poisoning & Spoofed VPN Clients

Confidence: High

Microsoft is tracking a campaign by a group called Storm-2561. They are using SEO poisoning to make fake VPN installers for Ivanti, Cisco, and Fortinet show up in search results. These installers look legitimate but actually drop the Hyrax infostealer, which is built to scrape corporate VPN credentials and session tokens. By spoofing the very tools we use to stay secure, the attackers are walking straight through the front door.

Finding: AI-Native Security — Happy DOM & OpenHands

Confidence: Medium

We are seeing a new wave of vulnerabilities targeting AI infrastructure. Happy DOM (CVE-2026-33943) has a code injection flaw that triggers during web-scraping or server-side rendering. At the same time, the OpenHands AI agent framework (CVE-2026-33718) is vulnerable to command injection via its Git Diff handler. As more companies integrate AI agents into their dev workflows, these types of "AI-native" attacks are becoming a standard part of the threat landscape.

Update: European Commission Breach (ShinyHunters)

Confidence: High

The European Commission breach has been tied to the ShinyHunters group. They stole 350GB of data, including DKIM signing keys and an SSO directory for nearly 1,800 users. This is particularly dangerous because it allows the attackers to send incredibly convincing emails from official EU domains and maintain long-term, unauthorized access to cloud systems.

Update: Cisco Secure FMC Zero-Day (CVE-2026-20131)

Confidence: High

The "Interlock" ransomware group has been exploiting CVE-2026-20131 since January. This was a 60-day blind spot where unauthenticated attackers could gain root access via Java deserialisation. It is a reminder of how long zero-days can remain active before they are finally caught and catalogued.

Update: telnetd Buffer Overflow (CVE-2026-32746)

Confidence: High

Python-based exploit scripts for a 32-year-old telnetd buffer overflow are now all over GitHub. This is essentially "democratising" the ability to attack legacy systems—making it easy for even low-skilled actors to compromise older infrastructure that hasn't been decommissioned yet.

Why This Matters

We are seeing a cluster of unauthenticated RCEs hitting the most sensitive parts of the network: communication (Telegram) and access (F5, Cisco). When these are combined with the rise of AI-native vulnerabilities and sophisticated impersonation via stolen DKIM keys, it is clear that the traditional "perimeter" is under more pressure than ever.

  • Recommended Actions
  • Telegram: Pause using Telegram for sensitive internal business until a patch is verified.
  • Access Control: Treat F5 BIG-IP (CVE-2025-53521) and Cisco FMC (CVE-2026-20131) as critical priority patches.
  • Credential Protection: Tell employees to only download VPN clients from your internal company portal, never from a search engine result.
  • AI Security: Audit any AI agents or scrapers using Happy DOM or OpenHands and restrict their ability to execute JavaScript or system commands.

All findings grounded in A13E intelligence sweeps through 08:16 UTC 29 March 2026.

cve-2025-53521cve-2026-20131cve-2026-32746cve-2026-33943rcetelegramzdi-can-30207zero-click

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed