The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory warning that TeleMessage TM SGNL, a Signal messaging app clone used by federal agencies, is under active attack due to severe security flaws. These vulnerabilities, identified as CVE-2025-48927 and CVE-2025-48928, have enabled hackers to access sensitive chat logs and metadata, compromising the communications of approximately 60 government officials, including Secret Service members and a White House official. CISA has mandated that federal agencies patch these vulnerabilities by July 22, 2025, or cease using the app entirely.
Vulnerabilities Fueling the Attacks
CVE-2025-48927 (CVSS score: 5.3): This flaw arises from a misconfigured Spring Boot Actuator in TM SGNL, exposing the /heapdump endpoint. Attackers can exploit this to extract memory dumps containing sensitive data, such as authentication credentials and session tokens, posing a significant risk to federal systems.
CVE-2025-48928 (CVSS score: 4.0): This vulnerability allows attackers with local access to the TeleMessage server to retrieve memory-dump files, exposing passwords transmitted over HTTP. The flaw stems from the app’s JavaServer Pages (JSP) architecture, where heap content functions similarly to a core dump, making sensitive data accessible.
Origins of the TeleMessage Breach
The vulnerabilities came to light following the “Signalgate” incident in March 2025, when then-National Security Advisor Mike Waltz inadvertently added The Atlantic editor-in-chief Jeffrey Goldberg to a TM SGNL group chat discussing U.S. military strikes against Houthi rebels in Yemen. Subsequent investigations revealed that TM SGNL, developed by Israel-based TeleMessage (owned by U.S. firm Smarsh), lacked proper end-to-end encryption, contrary to its marketing claims. This security gap allowed hackers to breach the app’s backend, exposing unencrypted chat logs and metadata.
Exploitation and Impact
Hackers exploited these flaws to access archived messages from U.S. agencies, including Customs and Border Protection, and private entities like Coinbase. The attack, which took approximately 20 minutes to execute, demonstrated the ease of exploiting TM SGNL’s insecure configurations. While CISA has confirmed that no ransomware attacks have been linked to these vulnerabilities, the exposure of sensitive government communications underscores the severity of the breach.
Also Read: If Python couldn't Exist how would AI Development be different?
CISA’s Response and Recommendations
CISA added CVE-2025-48927 and CVE-2025-48928 to its Known Exploited Vulnerabilities (KEV) Catalog on July 1, 2025, citing their frequent use by malicious actors and significant risks to federal networks. Under Binding Operational Directive (BOD) 22-01, federal agencies must apply vendor-provided patches or discontinue TM SGNL use by July 22, 2025. CISA also urges private organizations to prioritize remediation to prevent data theft and privilege escalation. If patches are unavailable, CISA recommends discontinuing the app to mitigate risks.
Broader Implications
The TeleMessage breach highlights the dangers of relying on third-party messaging apps without robust encryption and security practices, particularly in sensitive government environments. The incident has sparked discussions about the need for stricter vetting of communication platforms and improved transparency in encryption standards. Organizations using TM SGNL are advised to audit deployments, secure endpoints, and monitor for suspicious activity to safeguard against further exploitation.