The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities in TeleMessage’s TM SGNL messaging application to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies and private organizations to address these critical flaws immediately. This inclusion signifies that these vulnerabilities, which undermine the security promises of the communication platform, are actively being exploited in the wild.
The flaws identified include CVE-2025-48927, an “Initialization of a Resource with an Insecure Default Vulnerability,” and CVE-2025-48928, an “Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability.” These vulnerabilities, despite seemingly moderate CVSS scores, have proven to be highly impactful, with real-world exploitation observed as early as May 2025.
One of the most concerning aspects of these vulnerabilities is their direct impact on the confidentiality of sensitive communications. Reports indicate that TeleMessage, which offered modified versions of popular encrypted messaging apps for compliance and archiving purposes, had a critical flaw where archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination. This effectively exposed plaintext messages, contradicting the platform’s purported security.
The vulnerabilities came to public attention following reports of a breach that exposed sensitive communications and backend data, including details pertaining to government officials and financial institutions. This incident highlighted how easily even seemingly “secure” platforms can be compromised when fundamental security principles, such as proper encryption and credential management, are overlooked.
Under CISA’s Binding Operational Directive (BOD) 22-01, federal civilian executive branch (FCEB) agencies are mandated to remediate vulnerabilities listed in the KEV Catalog by a specified due date. For the TeleMessage TM SGNL flaws, federal agencies have been ordered to fix the vulnerabilities by July 22, 2025. CISA strongly recommends that private sector organizations also prioritize the remediation of these vulnerabilities to protect their networks against ongoing threats.
The addition of these TeleMessage flaws to the KEV Catalog serves as a stark reminder for all organizations to meticulously review and strengthen their cybersecurity postures, particularly concerning third-party communication and archiving solutions that handle sensitive information. The emphasis remains on proactive vulnerability management and prioritizing the patching of actively exploited weaknesses to mitigate significant cyber risks.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
