CISA warns the Signal clone used by natsec staffers is being attacked, so patch now – Source: go.theregister.com

The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22.

TeleMessage came to prominence after the Signalgate fiasco, when then-US national security advisor Mike Waltz mistakenly added a journalist to a Signal group chat outlining a March airstrike against Houthi insurgents in Yemen. Since the conversation had messages set to self-delete, government watchdogs raised concerns that the participants were dodging recordkeeping and retention requirements.

Subsequent investigations showed this wasn’t the case, as Waltz and others were using a Signal clone – dubbed TM SGNL – developed by TeleMessage, which is owned by US archiving biz Smarsh, to keep records of conversations. But when journalist Micah Lee examined the code, he found it to be severely buggy and didn’t have proper end-to-end encryption, unlike Signal.

Unfortunately for the government, data thieves were quickly on the case, and in May published chat logs and metadata of over 60 government users, including members of the Secret Service and at least one White House official, on the leak site Distributed Denial of Secrets.

Now CISA has said that two of the flaws found in TeleMessage, CVE-2025-48927 and CVE-2025-48928, are under “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” and added them to its Known Exploited Vulnerabilities Catalog, forcing Federal Civilian Executive Branch agencies to apply vendor-supplied mitigations or discontinue use of the product within the deadline.

• TeleMessage security SNAFU worsens as 60 government staffers exposed
• Signal chat app clone used by Signalgate’s Waltz was apparently an insecure mess
• Signalgate lessons learned: If creating a culture of security is the goal, America is screwed
• Pentagon declares war on ‘outdated’ software buying, opens fire on open source

CVE-2025-48927, with a CVSS score of 5.3, stems from a Spring Boot Actuator misconfiguration in TM SGNL that exposes the /heapdump endpoint, letting attackers download memory dumps containing sensitive data. The CVE-2025-48928 issue lets an attacker with local access to the TeleMessage server grab a memory-dump file, which can expose passwords sent over HTTP, and is rated CVSS 4.0.

CISA hasn’t released any more details about the twin issues, other than to confirm that they haven’t been involved in any ransomware attacks as yet. It’s not known how many – if any – government officials are still using the application.

Smarsh had no comment at time of publication. ®