On May 4, 2025, TeleMessage, an Israeli firm specializing in modified encrypted messaging applications such as Signal, experienced a significant data breach. This incident led to the exposure of sensitive archived messages, contact information of government officials, and backend login credentials.
The breach was executed by an unidentified hacker who took advantage of a vulnerability within TeleMessage’s system. The attacker gained access to a publicly exposed Java heap dump file containing critical data. This event has raised substantial concerns regarding the security of communication channels employed by high-ranking U.S. government officials, especially considering that former National Security Advisor Mike Waltz was observed using TeleMessage’s TM SGNL app during a cabinet meeting.
In the aftermath of the breach, TeleMessage temporarily halted its services and removed all references to the app from its website. The company’s parent organization, Smarsh, is reportedly in the process of rebranding the service as Capture Mobile. This situation has prompted scrutiny of TeleMessage’s security practices and the inherent risks of utilizing modified messaging applications for governmental communications.
CISA Adds TeleMessage Vulnerability to its Known Exploited Vulnerabilities List
On May 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) responded to the breach by incorporating the critical vulnerability associated with TeleMessage’s TM SGNL messaging app into its Known Exploited Vulnerabilities (KEV) catalog. This specific vulnerability, identified as CVE-2025-47729, pertains to unencrypted storage of message archives, thereby enabling attackers to access chat logs in plaintext.
Despite receiving a relatively low CVSS score of 1.9, the practical exploitation of this flaw necessitated immediate action. CISA mandated that federal agencies resolve the issue within three weeks, either through vendor-supplied mitigations or by discontinuing use of the affected application.
DDoSecrets Archives Breach Data
In a significant development, Distributed Denial of Secrets (DDoSecrets), a nonprofit organization committed to sharing leaked and hacked data for public interest, has incorporated the complete set of breached TeleMessage data into its online archive. According to a Telegram post by the organization, the dataset includes both plaintext messages and metadata such as sender and recipient details, timestamps, and group identifiers. For enhanced analyzability, DDoSecrets has also extracted readable content from the initial heap dump files.
However, due to the presence of personal information and messages not necessarily linked to governmental or corporate matters, access to this data is currently restricted to journalists and researchers. As of now, Hackread.com has yet to receive a response to its request for access to this dataset, which compounds the challenges faced by TeleMessage. Weeks after the breach, the company’s website continues to feature limited content, and operations remain on hold.
The implications of this breach extend beyond immediate concerns, highlighting vulnerabilities that could be exploited using tactics outlined in the MITRE ATT&CK framework. Initial access methods and possibly privilege escalation techniques might have been utilized by the attacker, underscoring the need for businesses to reassess their reliance on modified messaging platforms, especially when handling sensitive communication.
