The cybersecurity agency CISA is calling attention to a vulnerability discovered in TeleMessage, a messaging application that was recently used by Trump’s former national security advisor, Mike Waltz.
Waltz’s short tenure as national security advisor was marked by two incidents related to the use of messaging applications. First, in what became known as ‘Signalgate’, he erroneously added a journalist to a Signal group chat where national security leaders discussed an upcoming military operation in Yemen.
Waltz was later seen using an application called TeleMessage Signal on his phone, which again raised security concerns.
The Signalgate incident reportedly played a part in Trump’s decision to oust the national security adviser.
Israel-based TeleMessage, which is owned by Oregon-based communications company Smarsh, enables users to archive messages sent through applications such as WhatsApp, Telegram and Signal.
After TeleMessage came into the spotlight due to its use by Waltz, it was revealed that it has been used within the US government and it turned out that security concerns were warranted.
Hackers claimed to have stolen private messages and group chats associated with TeleMessage’s Signal, WhatsApp, WeChat and Telegram clones. The hackers did not obtain the messages of US government officials, but demonstrated that the chat logs archived by TeleMessages were not encrypted and could be easily obtained by threat actors.
In response to the incident, Smarsh has temporarily suspended all TeleMessage services while it conducts an investigation.
Researcher Micah Lee has analyzed TeleMessage source code and found that despite the vendor’s claims that its Signal app, named TM SGNL, supports end-to-end encryption, in reality the communication between the app and the final message archive destination is not end-to-end encrypted, enabling an attacker to access plaintext chat logs.
Indeed, it seems hackers exploited this weakness to obtain user data from the TeleMessage archive server, including private Telegram messages belonging to cryptocurrency company Coinbase and a list of hundreds of Customers and Border Protection employees.
This flaw now has a CVE identifier, CVE-2025-47729, which has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The National Vulnerability Database entry for CVE-2025-47729 points out that the security issue has been exploited in the wild.
Federal agencies are required to address vulnerabilities included in the KEV list within three weeks. Other organizations are also advised to keep an eye on the list for patch prioritization.
In the case of the TeleMessage vulnerability, considering that it’s a server-side issue, there is not much that users can do beyond discontinuing the use of the product, which is what CISA appears to be recommending.
Related: Critical Vulnerability in AI Builder Langflow Under Attack
Related: CISA Warns of Exploited Broadcom, Commvault Vulnerabilities
Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days
