A flaw in the TeleMessage Signal app, plus its use by high-profile national security officials, was enough to land it on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog on May 12.While the actual flaw — CVE-2025-47729 — has a low CVSS score of 1.9, security pros said CISA put the bug on the KEV catalog because of concerns that it could have been potentially exploited when former National Security Advisor Mike Waltz was photographed using the cloned TeleMessage Signal app to communicate with other high-ranking government officials.That incident was not long after the original case in which Waltz was found to have added a prominent journalist with The Atlantic to a group chat that discussed then-upcoming operations in Yemen with the actual Signal app — a move that led to his dismissal by President Donald Trump.TeleMessage, an Israeli company now owned by Oregon-based Smarsh, lets users archive messages sent through applications such as WhatsApp, Telegram and Signal. In response to all the negative press, Smarsh temporarily suspended its TeleMessage Signal services pending an investigation. The company was looking into reports involving Waltz, as well as another incident in which government officials at the Customs and Border Patrol used the cloned TeleMessage Signal app, and claims by hackers that they stole private messages from the various clones of the TeleMessage apps, though not in any of the cases involving U.S. government officials.Casey Ellis, founder at Bugcrowd, said CISA put the bug on the KEV catalog to ensure that all federal agencies “got the memo” not to use this software, and that there has been evidence of exploitation or attempted exploitation of this vulnerability.“Given how TeleMessage Signal has been used, and the impact of successful compromise, it's unsurprising to me,” said Ellis. “The CVSS 1.9 reflects the fact that accessing the unencrypted logs would still require compromising the endpoint containing the logs.”Nic Adams, chief executive officer at 0rcus, explained that the low CVSS number masked a high-impact flaw already being exploited against real targets. CISA only acted based on evidence of adversary activity, said Adams.“Attackers accessed entire message histories from multiple apps, including Signal clones,” said Adams. “Group chat logs, internal contacts, and operational metadata were pulled from the archive server. Cred exposure and backend debug data were also leaked. With that data, attackers could spoof users, map networks, or pivot into synchronized services such as Microsoft 365 or SFTP gateways. It enabled both passive surveillance and active operations.”Adams explained that the architecture itself introduced risk by storing plaintext message content outside user control in a cloud-based archive. Even if patches are applied, Adams said archive behavior remains incompatible with secure communication.“Continued use equates to continued exposure,” said Adams. “Discontinuation was the only viable containment strategy. Archiving encrypted messages nullifies the original security model. Any product that performs compliance logging while claiming end-to-end encryption should be scrutinized.”
Governance, Risk and Compliance, Encryption, Patch/Configuration Management
TeleMessage Signal app lands on CISA’s exploited vulnerability list
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds