U.S. CISA Adds TeleMessage TM SGNL to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in protecting the nation's cyber infrastructure by adding TeleMessage TM SGNL, a flaw tracked as CVE-2025-47729 with a CVSS score of 1.9, to its Known Exploited Vulnerabilities (KEV) catalog.

According to CISA's advisory, the TeleMessage archiving backend through May 5, 2025, holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users. This is a notable deviation from the documentation provided by TeleMessage, which describes end-to-end encryption from the mobile phone through to the corporate archive.

Recently, a hacker stole customer data from TeleMessage, an Israeli firm that sells modified versions of popular messaging apps like Signal and WhatsApp to the U.S. government. The stolen data included contents of direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat.

The security breach highlights the risks associated with relying on modified versions of popular apps, especially when chats aren't end-to-end encrypted between the apps and the archive. Despite being used by top U.S. officials, including Mike Waltz, cabinet-level messages were not compromised in this incident.

However, data belonging to Customs and Border Protection (CBP), Coinbase, and other financial entities was also leaked. The hacker accessed the company's panel, listing the names, phone numbers, and email addresses of CBP officials, as well as contact information for current and former Coinbase employees.

The Threat Actor's Access

The threat actor gained access to the TeleMessage server in just 20 minutes, raising national security concerns. The exposed data includes message contents, government contact info, backend credentials, and client clues.

Messages came from modified Signal and included political and crypto-related discussions, such as chats involving Galaxy Digital and U.S. Senate bill deliberations. The hacker also gained access to debug data from TeleMessage that included fragments of live, unencrypted messages.

Verification and Analysis

404 Media verified the breach by contacting CBP officials listed in the data, confirming its authenticity. Journalist Micah Lee analyzed TeleMessage's Signal clone, finding hardcoded credentials and license concerns. He accessed the app's Android source via a leaked URL, while other researchers later found iOS code.

The Implications

Experts recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix these vulnerabilities by June 2, 2025.

In light of this incident, the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires FCEB agencies to address identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.