What security vulnerabilities has CISA warned about in TeleMessage TM SGNL?

CISA has issued a warning about two security flaws in TeleMessage TM SGNL: CVE-2025-48927 (CVSS score 5.3), a Spring Boot Actuator misconfiguration exposing the /heapdump endpoint, and CVE-2025-48928 (CVSS score 4.0), which enables attackers with local access to extract memory-dump files. CISA has determined these are frequent attack vectors posing significant risks to the federal enterprise.

What is TeleMessage TM SGNL and why do government officials use it?

TeleMessage TM SGNL is a Signal clone developed by TeleMessage (owned by US archiving company Smarsh) and used by national security staffers and government officials. Unlike standard Signal, TM SGNL is specifically designed to maintain records of conversations to help government officials comply with recordkeeping requirements while still providing secure messaging capabilities.

What was the 'Signalgate' incident that brought attention to TM SGNL?

The 'Signalgate' incident occurred when then-US national security advisor Mike Waltz inadvertently added a journalist to a Signal group chat discussing a planned March airstrike against Houthi insurgents in Yemen. This raised concerns about government officials potentially circumventing recordkeeping requirements through Signal's self-deleting messages, leading to the discovery that officials were using TM SGNL instead.

What can attackers do with the CVE-2025-48927 vulnerability?

CVE-2025-48927 is a Spring Boot Actuator misconfiguration in TM SGNL that exposes the /heapdump endpoint, allowing attackers to download memory dumps containing sensitive data. This vulnerability has a CVSS score of 5.3 and enables unauthorized access to potentially sensitive information stored in memory.

How does the CVE-2025-48928 vulnerability work?

CVE-2025-48928 is a vulnerability with a CVSS score of 4.0 that enables attackers with local access to the TeleMessage server to extract memory-dump files, potentially exposing passwords sent over HTTP. This requires local access but can lead to credential theft and further system compromise.

Are these TM SGNL vulnerabilities being actively exploited?

Yes, CISA has specifically stated that these vulnerabilities are currently under active exploitation. CISA has determined that these flaws are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

How does TM SGNL differ from standard Signal in terms of security?

While standard Signal provides robust end-to-end encryption and self-deleting messages, TM SGNL was found to be severely buggy and lacking proper end-to-end encryption. TM SGNL was designed to maintain conversation records for compliance purposes, but this came at the cost of the security features that make standard Signal secure.

Which government agencies were affected by the TM SGNL data breach?

The data breach exposed communications from members of the Secret Service and at least one White House official, among over 60 government users whose chat logs and metadata were published on the leak site Distributed Denial of Secrets.

Have these TM SGNL vulnerabilities been used in ransomware attacks?

CISA has stated that these vulnerabilities have not yet been involved in any ransomware attacks. However, they are being actively exploited by malicious cyber actors and pose significant risks to federal enterprise systems.

What company owns TeleMessage and develops TM SGNL?

TeleMessage is owned by US archiving company Smarsh. TeleMessage developed TM SGNL specifically as a Signal clone that would maintain conversation records to help government officials comply with recordkeeping requirements.

Is it known how many government officials continue using TM SGNL?

It remains unclear how many government officials continue to use the application despite the known security concerns and vulnerabilities. Given CISA's strong warning and recommendation to discontinue use if patching isn't possible, continued usage would represent a significant security risk.

What should organizations do immediately regarding TM SGNL security?

Organizations should immediately patch their TeleMessage TM SGNL installations to address CVE-2025-48927 and CVE-2025-48928. If immediate patching is not feasible, CISA recommends discontinuing use of the software entirely due to the active exploitation of these vulnerabilities and the significant risks to organizational security.

Why did government officials switch from Signal to TM SGNL?

Government officials switched to TM SGNL to address concerns about circumventing recordkeeping requirements. While Signal's self-deleting message feature could potentially violate government record retention policies, TM SGNL was designed to maintain conversation records while still providing what was supposed to be secure messaging capabilities.

Attack

CISA warns of active attacks on Signal clone TeleMessage

Q: Was there a data breach involving TM SGNL users?

Yes, in May 2025, data thieves exploited TM SGNL's security deficiencies and published chat logs and metadata of over 60 government users on the leak site Distributed Denial of Secrets. The compromised data included communications from members of the Secret Service and at least one White House official.

Q: What is CISA's recommendation for organizations using TeleMessage products?

For organizations using TeleMessage products, CISA strongly recommends immediate patching. If patching is not possible, CISA's guidance suggests discontinuing use of the affected software entirely due to the significant security risks posed by these vulnerabilities.

published: July 3, 2025

Take action: If you're using TeleMessage TM SGNL, start patching it today, because it's being actively exploited. Alternatively, stop using the software entirely. Switch back to standard Signal or another approved properly encrypted messaging app since TM SGNL has already been breached and continues to be attacked.

Learn More

CISA has issued a warning about two security flaws in TeleMessage TM SGNL, a Signal clone used by national security staffers and government officials. CISA has determined that these vulnerabilities are "frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise".

TeleMessage TM SGNL gained prominence following the "Signalgate" incident, when then-US national security advisor Mike Waltz inadvertently added a journalist to a Signal group chat discussing a planned March airstrike against Houthi insurgents in Yemen. The incident raised concerns about government officials potentially circumventing recordkeeping requirements through Signal's self-deleting message feature. Subsequent investigations revealed that Waltz and other officials were using TM SGNL, developed by TeleMessage (owned by US archiving company Smarsh), specifically designed to maintain records of conversations unlike standard Signal.

Security concerns emerged when journalist Micah Lee examined TM SGNL's code and discovered it was severely buggy and lacked proper end-to-end encryption that standard Signal provides. These security deficiencies were quickly exploited by data thieves who, in May 2025, published chat logs and metadata of over 60 government users on the leak site Distributed Denial of Secrets. The compromised data included communications from members of the Secret Service and at least one White House official.

The vulnerabilities currently under active exploitation include:

CVE-2025-48927 (CVSS score 5.3): A Spring Boot Actuator misconfiguration in TM SGNL that exposes the /heapdump endpoint, allowing attackers to download memory dumps containing sensitive data.
CVE-2025-48928 (CVSS score 4.0): A vulnerability that enables attackers with local access to the TeleMessage server to extract memory-dump files, potentially exposing passwords sent over HTTP.

CISA has not released further details about these vulnerabilities beyond stating that they have not yet been involved in any ransomware attacks. It remains unclear how many government officials continue to use the application despite security concerns.

For organizations using TeleMessage products, immediate patching is strongly recommended. If patching is not possible, CISA's guidance suggests discontinuing use of the affected software entirely.

CISA warns of active attacks on Signal clone TeleMessage

Read More
Critical Privilege Escalation Vulnerability Reported in WordPress User …
Active exploitation reported of Hitachi Vantara Pentaho BA …
CISA warns of active explitation of Ivanti EPMM …
Supply chain attack compromises Magento E-commerce extensions
CISA warns of ZKTeco BioTime flaw actively exploited …