A zero-click RCE exploit requires no action from you. No tapped link, no opened file, no prompted permission. The attack executes the moment a malformed packet or crafted message reaches your device. That is what makes the Telegram zero-click RCE class of vulnerability genuinely dangerous, and why security researchers keep returning to messenger apps as a primary mobile attack surface.
What Zero-Click Actually Means
Traditional exploits need you to do something wrong. Zero-click attacks exploit flaws in the processing layer, the code that parses incoming data before you ever see it. In Telegram’s case, researchers have pointed to the media processing pipeline: animated stickers, video thumbnails, and voice message metadata all get parsed automatically on receipt. A malformed payload at that layer can trigger arbitrary code execution without your device showing you anything suspicious.
The attack surface is not unique to Telegram. WhatsApp patched CVE-2019-3568, a zero-click RCE in its VOIP stack that was actively used to install Pegasus spyware. Apple’s iMessage has been exploited zero-click three separate times since 2021. The common thread is automatic content parsing, a feature that improves user experience and simultaneously creates exposure you cannot mitigate through careful behaviour alone.
The Disclosure and Denial Cycle
Telegram has historically pushed back on zero-click claims, arguing that its custom MTProto protocol and server-side filtering reduce the realistic attack surface. Researchers counter that the client-side parsing code, particularly for media, is complex enough to harbour memory corruption bugs regardless of transport-layer security.
This tension is familiar in messenger security. Vendors rarely confirm zero-click vulnerabilities publicly until a patch ships, because disclosure before a fix actively hands attackers a verified target. The result is a pattern where security firms publish technical findings, vendors deny or minimise, and a patch appears weeks later with release notes that quietly reference “memory safety improvements”. If you see that language in a Telegram update changelog, treat it seriously.
If you want to understand how attackers move once initial access is established via your phone, the breakdown in these 12 signs your phone has been compromised covers the post-exploitation indicators that are actually visible to you.
Why Messenger Apps Are a Persistent Target
End-to-end encryption protects message content in transit. It does nothing to protect the code that processes that content on your device. Attackers targeting a journalist, a lawyer, or a corporate executive do not need to break the encryption. They need one memory corruption bug in the thumbnail renderer to get a shell.
Telegram’s architecture adds a specific wrinkle: it stores message history on its servers by default and syncs across devices. A successful zero-click on one device can potentially expose conversation history that predates the compromise. That is a fundamentally different risk profile compared to Signal, which stores nothing server-side and has a significantly smaller parsing codebase.
The best mobile security apps in 2025 include options that monitor for anomalous process behaviour, which can catch exploitation attempts that have already succeeded in gaining execution but not yet established persistence.
Practical Steps That Actually Reduce Your Exposure
You cannot patch a zero-click vulnerability yourself. But you can shrink the window between exploitation and detection, and reduce what an attacker gains if they succeed.
Keep Telegram and your OS updated automatically. Zero-click exploits have a short shelf life once a patch ships, but only if you install it. Disable automatic media download in Telegram’s settings under Data and Storage. This delays, though does not eliminate, media parsing until you manually open content. On iOS, enabling Lockdown Mode significantly restricts the attack surface by disabling many automatic content processing features, at a cost to functionality you will notice.
For high-risk individuals, the question is whether Telegram is the right tool at all. Signal’s smaller codebase, memory-safe rewrites in progress across its core libraries, and zero server-side storage make it a materially more defensible choice. If your threat model includes nation-state actors, voice-based social engineering often follows successful device compromise, as attackers impersonate you to extract further access from colleagues.
Finally, review which devices have active Telegram sessions. Settings > Privacy and Security > Active Sessions shows every logged-in device. Terminate any session you do not recognise immediately. A zero-click compromise does not always announce itself, but a session you did not open will.
For organisations managing a response after a suspected compromise, the UK incident response framework covers the triage and containment steps relevant to mobile endpoint breaches.
FAQ: Telegram Zero-Click RCE
- Has Telegram confirmed a zero-click RCE vulnerability?
- Telegram has not publicly confirmed a specific zero-click RCE as of early 2026. The company disputes characterisations of its attack surface while continuing to ship security patches. Researchers from firms including ESET and CitizenLab have documented Telegram-targeting campaigns that used zero-interaction delivery mechanisms.
- Does using a VPN protect me from a zero-click attack on Telegram?
- No. A VPN encrypts your traffic but does not affect how your device processes incoming message data. Zero-click attacks exploit parsing vulnerabilities in the app itself, which execute regardless of your network configuration.
- Is Signal safer than Telegram against zero-click exploits?
- Signal has a substantially smaller codebase, stores no message history on its servers, and has fewer automatic media processing features. That translates to a smaller attack surface, though not immunity. No messenger app is categorically safe from zero-click exploitation.
- What should I do if I suspect my Telegram was compromised via a zero-click exploit?
- Terminate all active sessions immediately from Settings. Revoke app permissions on your device. Change your account password and 2FA code from a different, trusted device. Report the incident to your organisation’s security team and, if you are a high-risk individual, contact a digital forensics firm for device analysis.