CISA Adds TeleMessage Vulnerability to KEV List Following Breach

CISA adds TeleMessage flaw to KEV list, urges agencies to act within 3 weeks after a breach exposed unencrypted chats. The Israeli App was used by Trump officials!

A serious flaw in TM SGNL, a messaging app by US-Israeli firm TeleMessage used by former Trump administration officials, has now landed on CISA’s Known Exploited Vulnerabilities (KEV) list. The move follows reports of a breach that exposed sensitive communications and backend data.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-47729 to its KEV catalogue this week. The listing confirms that the vulnerability has been exploited in the wild and sets a three-week deadline for federal agencies to address the issue.

On May 5, Hackread.com reported that TeleMessage had halted operations of TM SGNL after attackers gained access to backend systems and user message data. The breach cast doubt on the platform’s core security claims.

Security researcher Micah Lee analyzed the app’s source code and found a serious gap in its encryption model. While TeleMessage stated that TM SGNL used end-to-end encryption, Lee’s findings suggest otherwise. Communication between the app and its final storage point lacked full encryption, which opened the door for attackers to intercept plaintext chat logs.

This finding raised some serious security and privacy concerns given the app’s past use by high-level figures, including former national security advisor Mike Waltz.

CISA’s decision to add the flaw to its KEV list sends a clear message to government agencies: the software isn’t safe. It puts pressure on them to patch or drop it quickly.

Thomas Richards, Infrastructure Security Practice Director at Black Duck, said the decision likely stemmed from the software’s use in government:

“This vulnerability was probably added to the KEV list because of who was using it. With sensitive government conversations involved, the breach takes on another level of risk. CISA’s move is about making sure agencies know this software shouldn’t be trusted.”

Casey Ellis, founder of Bugcrowd, added that the inclusion confirms the severity:

“CISA is making sure federal agencies got the message. The fact that the logs weren’t properly encrypted changes the risk equation. And while the CVSS 1.9 score may seem low, it still reflects the danger of compromising the device storing those logs.”

Federal agencies are now required to act within three weeks. Organizations outside the government are also advised to review the KEV catalogue and consider prioritizing patches or alternative solutions.

The breach and following KEV listing have pushed TeleMessage into a larger discussion about transparency, encryption standards, and the security infrastructure of platforms used in political and governmental communication.

For more information, the CVE entry is available via NVD, and the KEV catalogue can be accessed on the CISA website.