U.S. CISA adds TeleMessage TM SGNL to its Known Exploited Vulnerabilities catalog

This post was originally published on Security Affairs. It can be found here.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds TeleMessage TM SGNL flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a TeleMessage TM SGNL flaw, tracked as CVE-2025-47729 (CVSS score of 1.9), to its Known Exploited Vulnerabilities (KEV) catalog.

“The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage “End-to-End encryption from the mobile phone through to the corporate archive” documentation, as exploited in the wild in May 2025.” reads the advisory.

Last week, a hacker stole customer data from TeleMessage, an Israeli firm selling modified versions of popular messaging apps, such as Signal and WhatsApp, to the U.S. government.

“The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat.” reported 404media. “TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.”

The security breach highlights the risks of relying on modified versions of popular apps, especially when chats aren’t end-to-end encrypted between the apps and the archive. 404 Media noted that although the app was used by top U.S. officials, cabinet-level messages were not compromised. However, data belonging to Customs and Border Protection (CBP), Coinbase, and other financial entities was also leaked.

“One screenshot of the hacker’s access to a TeleMessage panel lists the names, phone numbers, and email addresses of CBP officials.” reports 404Media. “The screenshot says “select 0 of 747,” indicating that there may be that many CBP officials included in the data. A similar screenshot shows the contact information of current and former Coinbase employees.”

Though not all data was accessed, the threat actor hacked the company in just 20 minutes, raising national security concerns, especially as top U.S. officials, including Waltz, were using the tool during sensitive discussions.

Recently, 404 Media first reported that the U.S. National Security Advisor Waltz accidentally revealed he was using TeleMessage’s modified version of Signal during the cabinet meeting. 

“The use of that tool raised questions about what classification of information was being discussed across the app and how that data was being secured, and came after revelations top U.S. officials were using Signal to discuss active combat operations.” continues the post.

The exposed TeleMessage data includes message contents, government contact info, backend credentials, and client clues. Messages came from modified Signal and include political and crypto-related discussions, such as chats involving Galaxy Digital and U.S. Senate bill deliberations.

The hacker gained access to debug data from TeleMessage that included fragments of live, unencrypted messages. 404 Media verified the breach by contacting CBP officials listed in the data, confirming its authenticity.

“The server that the hacker compromised is hosted on Amazon AWS’s cloud infrastructure in Northern Virginia. By reviewing the source code of TeleMessage’s modified Signal app for Android, 404 Media confirmed that the app sends message data to this endpoint.” concludes the media. “404 Media also made an HTTP request to this server to confirm that it is online.”

Journalist Micah Lee analyzed TeleMessage’s Signal clone, finding hardcoded credentials and license concerns. He accessed its Android source via a leaked URL. Other researchers later found iOS code. The app may violate Signal’s open-source terms. Meanwhile, Waltz, linked to Signal misuse, was reassigned.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 2, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS
Article thumbnail image
Apple released security updates to address easily exploitable vulnerabilities i
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds TeleMessage T
Article thumbnail image
Expert found two flaws in DriverHub, pre-installed on Asus motherboards, which
Germany’s BKA shut down eXch crypto exchange, seizing its infrastructure over