U.S. CISA adds TeleMessage TM SGNL to its Known Exploited Vulnerabilities catalog
May 12, 2025 
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds TeleMessage TM SGNL flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a TeleMessage TM SGNL flaw, tracked as CVE-2025-47729 (CVSS score of 1.9), to its Known Exploited Vulnerabilities (KEV) catalog.
“The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage “End-to-End encryption from the mobile phone through to the corporate archive” documentation, as exploited in the wild in May 2025.” reads the advisory.
Last week, a hacker stole customer data from TeleMessage, an Israeli firm selling modified versions of popular messaging apps, such as Signal and WhatsApp, to the U.S. government.
“The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat.” reported 404media. “TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.”
The security breach highlights the risks of relying on modified versions of popular apps, especially when chats aren’t end-to-end encrypted between the apps and the archive. 404 Media noted that although the app was used by top U.S. officials, cabinet-level messages were not compromised. However, data belonging to Customs and Border Protection (CBP), Coinbase, and other financial entities was also leaked.
“One screenshot of the hacker’s access to a TeleMessage panel lists the names, phone numbers, and email addresses of CBP officials.” reports 404Media. “The screenshot says “select 0 of 747,” indicating that there may be that many CBP officials included in the data. A similar screenshot shows the contact information of current and former Coinbase employees.”
Though not all data was accessed, the threat actor hacked the company in just 20 minutes, raising national security concerns, especially as top U.S. officials, including Waltz, were using the tool during sensitive discussions.
Recently, 404 Media first reported that the U.S. National Security Advisor Waltz accidentally revealed he was using TeleMessage’s modified version of Signal during the cabinet meeting.
“The use of that tool raised questions about what classification of information was being discussed across the app and how that data was being secured, and came after revelations top U.S. officials were using Signal to discuss active combat operations.” continues the post.
The exposed TeleMessage data includes message contents, government contact info, backend credentials, and client clues. Messages came from modified Signal and include political and crypto-related discussions, such as chats involving Galaxy Digital and U.S. Senate bill deliberations.
The hacker gained access to debug data from TeleMessage that included fragments of live, unencrypted messages. 404 Media verified the breach by contacting CBP officials listed in the data, confirming its authenticity.
“The server that the hacker compromised is hosted on Amazon AWS’s cloud infrastructure in Northern Virginia. By reviewing the source code of TeleMessage’s modified Signal app for Android, 404 Media confirmed that the app sends message data to this endpoint.” concludes the media. “404 Media also made an HTTP request to this server to confirm that it is online.”
Journalist Micah Lee analyzed TeleMessage’s Signal clone, finding hardcoded credentials and license concerns. He accessed its Android source via a leaked URL. Other researchers later found iOS code. The app may violate Signal’s open-source terms. Meanwhile, Waltz, linked to Signal misuse, was reassigned.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix these vulnerabilities by June 2, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)