CVE-2025-52572 is an improper authentication vulnerability (CWE-287) in the Hikka Telegram userbot, affecting all versions up to 1.7.0-wip. The vulnerability arises from the web interface's failure to enforce proper authentication, allowing attackers to leverage two main attack vectors. First, if the web interface is left unauthenticated, an attacker can use their own Telegram account to gain remote code execution (RCE) on the server by authorizing through the exposed interface. Second, even when the web interface is authenticated, insufficient warning messages in the authentication prompt can mislead users into clicking "Allow" in the "Allow web application ops" menu. This user interaction grants attackers not only RCE capabilities but also access to the victim's Telegram accounts. The second scenario has been exploited in the wild, demonstrating the vulnerability's real-world impact. No official patches have been released yet, but recommended workarounds include running the userbot with the --no-web flag to disable the web interface, closing the server port after authorization, and exercising caution by not clicking "Allow" unless explicitly intended. The vulnerability has a CVSS v3.1 score of 10.0, reflecting its critical nature with network attack vector, no required privileges or user interaction, and complete compromise of confidentiality, integrity, and availability. The scope is broad as all Hikka users on affected versions are vulnerable. This vulnerability poses a severe risk to any organization relying on Hikka userbots, especially those exposing the web interface to untrusted networks or lacking strict operational controls.

For European organizations, this vulnerability presents a critical threat due to the potential for full system compromise via remote code execution and unauthorized access to Telegram accounts. Organizations using Hikka userbots for automation, communication, or integration with Telegram risk exposure of sensitive data, disruption of services, and potential lateral movement within networks. The compromise of Telegram accounts could lead to further social engineering attacks, data leakage, and reputational damage. Given the lack of official patches, organizations face prolonged exposure unless mitigations are applied. The impact is heightened for entities in sectors with high reliance on secure communications such as finance, government, and critical infrastructure. Additionally, the ability for attackers to execute arbitrary code remotely could facilitate deployment of ransomware or other malware, amplifying operational and financial damage. The vulnerability's exploitation could also undermine trust in Telegram-based automation tools, affecting broader digital communication ecosystems in Europe.

European organizations should immediately implement the following specific mitigations: 1) Deploy the Hikka userbot with the --no-web flag to disable the vulnerable web interface entirely, preventing unauthorized access. 2) If web interface use is necessary, restrict access via network-level controls such as firewall rules or VPNs to trusted IP addresses only, and close the web interface port immediately after authorization. 3) Educate users and administrators not to click "Allow" on any authentication prompts unless they explicitly initiated the action, reducing the risk of social engineering exploitation. 4) Monitor network traffic and logs for unusual authorization attempts or unexpected web interface activity. 5) Consider isolating userbot servers in segmented network zones to limit potential lateral movement if compromised. 6) Maintain up-to-date backups and incident response plans tailored to potential remote code execution scenarios. 7) Engage with the Hikka community or vendor for updates and patches, and plan for rapid deployment once available. 8) Conduct regular security assessments of Telegram automation tools and their interfaces to identify similar risks proactively.