CVE-2025-52572: CWE-287: Improper Authentication in hikariatama Hikka
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
AI Analysis
Technical Summary
CVE-2025-52572 is a critical improper authentication vulnerability (CWE-287) affecting all versions of the Hikka Telegram userbot up to and including version 1.7.0-wip. Hikka provides a web interface for user interaction and control, but this interface suffers from two major security flaws. First, if the web interface is left unauthenticated, an attacker can leverage their own Telegram account to gain remote code execution (RCE) on the server hosting the userbot by simply authorizing through the exposed web interface. This means that without any authentication barriers, an attacker can fully compromise the underlying system. Second, even when the web interface is authenticated, the authentication message presented to users is insufficiently clear or warning, leading users to inadvertently grant excessive permissions by clicking "Allow" on the "Allow web application ops" prompt. This action not only enables RCE but also grants the attacker access to the Telegram accounts of the userbot owners, effectively compromising both the server and the Telegram accounts themselves. Scenario two has been confirmed as exploited in the wild, highlighting the real-world risk of this vulnerability. No official patches are currently available, but mitigations include running the userbot with the `--no-web` flag to disable the web interface, closing the web interface port after authorization, and exercising extreme caution to avoid clicking "Allow" unless the action is explicitly intended. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical severity with network attack vector, no required privileges or user interaction, and complete impact on confidentiality, integrity, and availability. This vulnerability poses a severe risk to any organization using Hikka userbots, as it can lead to full system compromise and account takeover.
Potential Impact
For European organizations using Hikka userbots, this vulnerability presents a critical threat. Successful exploitation can lead to full remote code execution on servers running the userbot, allowing attackers to execute arbitrary commands, deploy malware, or pivot within internal networks. Additionally, the compromise of Telegram accounts can lead to further social engineering attacks, data leakage, and unauthorized access to sensitive communications. Given Telegram's popularity in various sectors including media, political groups, and private enterprises in Europe, the impact extends beyond technical compromise to potential reputational damage and operational disruption. The lack of patches means organizations must rely on mitigations, increasing operational complexity and risk. Furthermore, attackers exploiting this vulnerability can maintain persistent access, making detection and remediation difficult. The combined risk to both server infrastructure and Telegram accounts elevates the threat to critical levels, especially for organizations relying on Hikka for automation or communication tasks.
Mitigation Recommendations
1. Immediately deploy the `--no-web` flag when starting Hikka userbots to disable the vulnerable web interface entirely, eliminating the attack surface. 2. If web interface usage is unavoidable, restrict access to the web interface port using firewall rules or network segmentation to trusted IP addresses only, minimizing exposure. 3. After completing any necessary authorization via the web interface, promptly close the web interface port or stop the web service to prevent unauthorized access. 4. Educate all users and administrators to avoid clicking "Allow" on the "Allow web application ops" prompt unless they explicitly initiated the action and fully understand the consequences. 5. Monitor server logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected connections or command executions. 6. Consider isolating the userbot environment using containerization or sandboxing to limit the impact of potential compromise. 7. Regularly back up critical data and configurations to enable recovery in case of compromise. 8. Stay informed about updates from the vendor or community for any forthcoming patches or security advisories. These steps go beyond generic advice by focusing on operational controls specific to Hikka's architecture and user interaction patterns.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-52572: CWE-287: Improper Authentication in hikariatama Hikka
Description
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
AI-Powered Analysis
Technical Analysis
CVE-2025-52572 is a critical improper authentication vulnerability (CWE-287) affecting all versions of the Hikka Telegram userbot up to and including version 1.7.0-wip. Hikka provides a web interface for user interaction and control, but this interface suffers from two major security flaws. First, if the web interface is left unauthenticated, an attacker can leverage their own Telegram account to gain remote code execution (RCE) on the server hosting the userbot by simply authorizing through the exposed web interface. This means that without any authentication barriers, an attacker can fully compromise the underlying system. Second, even when the web interface is authenticated, the authentication message presented to users is insufficiently clear or warning, leading users to inadvertently grant excessive permissions by clicking "Allow" on the "Allow web application ops" prompt. This action not only enables RCE but also grants the attacker access to the Telegram accounts of the userbot owners, effectively compromising both the server and the Telegram accounts themselves. Scenario two has been confirmed as exploited in the wild, highlighting the real-world risk of this vulnerability. No official patches are currently available, but mitigations include running the userbot with the `--no-web` flag to disable the web interface, closing the web interface port after authorization, and exercising extreme caution to avoid clicking "Allow" unless the action is explicitly intended. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical severity with network attack vector, no required privileges or user interaction, and complete impact on confidentiality, integrity, and availability. This vulnerability poses a severe risk to any organization using Hikka userbots, as it can lead to full system compromise and account takeover.
Potential Impact
For European organizations using Hikka userbots, this vulnerability presents a critical threat. Successful exploitation can lead to full remote code execution on servers running the userbot, allowing attackers to execute arbitrary commands, deploy malware, or pivot within internal networks. Additionally, the compromise of Telegram accounts can lead to further social engineering attacks, data leakage, and unauthorized access to sensitive communications. Given Telegram's popularity in various sectors including media, political groups, and private enterprises in Europe, the impact extends beyond technical compromise to potential reputational damage and operational disruption. The lack of patches means organizations must rely on mitigations, increasing operational complexity and risk. Furthermore, attackers exploiting this vulnerability can maintain persistent access, making detection and remediation difficult. The combined risk to both server infrastructure and Telegram accounts elevates the threat to critical levels, especially for organizations relying on Hikka for automation or communication tasks.
Mitigation Recommendations
1. Immediately deploy the `--no-web` flag when starting Hikka userbots to disable the vulnerable web interface entirely, eliminating the attack surface. 2. If web interface usage is unavoidable, restrict access to the web interface port using firewall rules or network segmentation to trusted IP addresses only, minimizing exposure. 3. After completing any necessary authorization via the web interface, promptly close the web interface port or stop the web service to prevent unauthorized access. 4. Educate all users and administrators to avoid clicking "Allow" on the "Allow web application ops" prompt unless they explicitly initiated the action and fully understand the consequences. 5. Monitor server logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected connections or command executions. 6. Consider isolating the userbot environment using containerization or sandboxing to limit the impact of potential compromise. 7. Regularly back up critical data and configurations to enable recovery in case of compromise. 8. Stay informed about updates from the vendor or community for any forthcoming patches or security advisories. These steps go beyond generic advice by focusing on operational controls specific to Hikka's architecture and user interaction patterns.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-18T03:55:52.036Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685b0bc766faf0c1de3b1305
Added to database: 6/24/2025, 8:34:15 PM
Last enriched: 6/24/2025, 8:39:40 PM
Last updated: 8/20/2025, 7:23:24 PM
Views: 79
Related Threats
CVE-2025-8064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aicwebtech Bible SuperSearch
MediumCVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.