CISA provides TeleMessage flaw to KEV listing, urges companies to behave inside 3 weeks after a breach uncovered unencrypted chats. The Israeli App was utilized by Trump officers!
A severe flaw in TM SGNL, a messaging app by US-Israeli agency TeleMessage utilized by former Trump administration officers, has now landed on CISA’s Identified Exploited Vulnerabilities (KEV) listing. The transfer follows studies of a breach that uncovered delicate communications and backend information.
The Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-47729 to its KEV catalogue this week. The itemizing confirms that the vulnerability has been exploited within the wild and units a three-week deadline for federal companies to deal with the difficulty.
Breach and Analysis Findings
On Could 5, Hackread.com reported that TeleMessage had halted operations of TM SGNL after attackers gained entry to backend techniques and person message information. The breach solid doubt on the platform’s core safety claims.
Safety researcher Micah Lee analyzed the app’s supply code and located a severe hole in its encryption mannequin. Whereas TeleMessage acknowledged that TM SGNL used end-to-end encryption, Lee’s findings counsel in any other case. Communication between the app and its last storage level lacked full encryption, which opened the door for attackers to intercept plaintext chat logs.
This discovering raised some severe safety and privateness considerations given the app’s previous use by high-level figures, together with former nationwide safety advisor Mike Waltz.
Why CISA Acted
CISA’s choice so as to add the flaw to its KEV listing sends a transparent message to authorities companies: the software program isn’t protected. It places strain on them to patch or drop it shortly.
Thomas Richards, Infrastructure Safety Apply Director at Black Duck, mentioned the choice doubtless stemmed from the software program’s use in authorities:
“This vulnerability was in all probability added to the KEV listing due to who was utilizing it. With delicate authorities conversations concerned, the breach takes on one other stage of threat. CISA’s transfer is about ensuring companies know this software program shouldn’t be trusted.”
Casey Ellis, founding father of Bugcrowd, added that the inclusion confirms the severity:
“CISA is ensuring federal companies bought the message. The truth that the logs weren’t correctly encrypted modifications the chance equation. And whereas the CVSS 1.9 rating could seem low, it nonetheless displays the hazard of compromising the system storing these logs.”
What’s Subsequent
Federal companies are actually required to behave inside three weeks. Organizations exterior the federal government are additionally suggested to evaluate the KEV catalogue and take into account prioritizing patches or various options.
The breach and following KEV itemizing have pushed TeleMessage into a bigger dialogue about transparency, encryption requirements, and the safety infrastructure of platforms utilized in political and governmental communication.
For extra info, the CVE entry is offered through NVD, and the KEV catalogue may be accessed on the CISA web site.
