CISA Warns: TeleMessage TM SGNL Actively Exploited for Data Leaks, Patch by July 22
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning regarding serious threats posed by the application TeleMessage TM SGNL, which had been promoted as a secure alternative to the Signal messenger. According to the agency, malicious actors are actively exploiting two vulnerabilities within the app, presenting significant risks to U.S. federal agencies. Consequently, government entities have been instructed to either patch the vulnerabilities using the developer’s updates or cease using TM SGNL altogether by July 22.
TeleMessage rose to prominence following the so-called “Signalgate” incident, in which U.S. National Security Advisor Mike Waltz mistakenly added a journalist to a private Signal chat discussing an airstrike on Houthi targets in Yemen. Although the chat was configured for auto-deletion, the incident raised concerns among oversight bodies regarding compliance with official communication retention policies.
However, a subsequent investigation revealed that the participants were not using the original Signal app, but rather a clone developed by TeleMessage called TM SGNL. Designed to log and archive work-related communications, TM SGNL is developed by TeleMessage, a subsidiary of the American firm Smarsh. Despite its claims of being secure, a source code review uncovered serious technical flaws and the absence of true end-to-end encryption—a fundamental feature of the original Signal application.
These shortcomings did not go unnoticed. In May, the platform Distributed Denial of Secrets published messages and metadata from over 60 U.S. government officials, including members of the Secret Service and at least one White House staffer.
As a result, CISA has added two TM SGNL vulnerabilities to its catalog of known exploited flaws:
- CVE-2025-48927 (CVSS score: 5.3): This vulnerability stems from improper configuration of the Spring Boot Actuator, exposing the
/heapdumpendpoint. Through this, attackers can download memory dumps containing sensitive information. - CVE-2025-48928 (CVSS score: 4.0): This flaw allows local access to memory dumps from TeleMessage servers, posing a risk of password leaks and exposure of sensitive data—particularly if transmitted over unsecured HTTP protocols.
CISA has not disclosed further details regarding exploitation instances, though it notes that these vulnerabilities have not yet been linked to ransomware attacks. There is no official data on how many U.S. government personnel continue to use TM SGNL. Smarsh, the parent company of TeleMessage, has not issued a public statement.
