CISA has added a medium-severity vulnerability discovered in TeleMessage TM SGNL, the messaging application that was used by the former national security advisor Mike Waltz, to its Known Exploited Vulnerabilities (KEV) Catalog.
The modified version of the more famous Signal app, TM SGNL, was recently probed by security researchers and subsequently alleged to have been hacked, just after Waltz was photographed using it on his phone.
“It may seem paradoxical to find a vulnerability with a CVSS score as low as 1.9 in CISA’s KEV catalog, attracting considerable attention,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “However, the CVSS score mainly indicates the technical aspects of the vulnerability rather than the effects of its exploitation or the extent of its use by attackers.”
The actively exploited vulnerability, tracked as CVE-2025-47729, was assigned a severity score of CVSS 4.9 out of 10 and is said to affect TeleMessage Archiving Backend released up to and including May 5, 2025. Thus, updating to a version released after May 2025 is recommended as a mitigation.
Exploitation leads to critical exposure
The addition to CISA’s KEV raises concerns, particularly owing to the critical nature of the exposed data.
Despite the vendor’s assurances that the app supports end-to-end encryption, it turns out, as discovered by researcher Micah Lee, who dug into its source code, that the communication between the app and the final message archive isn’t encrypted end-to-end. This allows attackers to access plaintext chat logs.
“Although the exploitation methods might not be complicated (hence the low score), the outcome—access to plaintext chat logs despite assertions of end-to-end encryption—constitutes a serious breach of confidentiality, which is essential for a secure messaging service, especially one that may handle sensitive communications,” Schwake noted.
CISA’s advice for agencies and businesses to avoid using TeleMessage likely stems from this confirmed real-world exploitation and its significant impact on data privacy, regardless of the technical score, he added.
Government officials are especially vulnerable
“This vulnerability was most likely added to the KEV list due to the reported use of TeleMessage by government officials,” Thomas Richards, infrastructure security practice director at Black Duck, told CSO in a comment.
TM SGNL first made headlines in March, when senior administration officials faced backlash after Waltz mistakenly added The Atlantic’s Jeffrey Goldberg to what turned out to be a classified group chat.
Casey Ellis, founder of BugCrowd, noted that the KEV list is being used to make sure all federal agencies are on the same page about steering clear of this software. “Given how TM Signal has been used, and the impact of successful compromise, the KEV inclusion is unsurprising to me,” Ellis said.
Federal agencies have just three weeks to remediate any vulnerabilities flagged in the KEV catalog, which is a mandatory deadline. While the rule doesn’t extend to the private sector, organizations across the board are strongly urged to monitor the KEV list as the go-to resource for patch prioritization.
The original article found on Neue EU-Schwachstellen-Datenbank geht an den Start | CSO Online Read More
