What is TeleMessage TM SGNL?
TeleMessage is an Israeli company that markets compliance-archiving versions of popular end-to-end encrypted messaging apps — including Signal, WhatsApp, WeChat, and Telegram — for use in regulated industries such as financial services and government. TM SGNL is their Signal-derived application modified to route messages through a proprietary archiving backend, allowing organizations to retain searchable records of communications for regulatory compliance.
Because TM SGNL preserves the Signal front-end UI while intercepting messages before they leave the device, users may believe their communications retain Signal's end-to-end encryption guarantees. In practice, the archiving backend receives and stores plaintext copies of every message.
Overview
TeleMessage TM SGNL contains a hidden functionality vulnerability (CWE-912) in which the archiving backend maintains cleartext copies of messages from all TM SGNL users. While TM SGNL presents Signal's familiar end-to-end encrypted interface, the app's compliance-archiving layer decrypts messages and stores them in plaintext on TeleMessage's servers before they reach the recipient.
This design — undisclosed to end users — was exposed in May 2025 when a security researcher breached TeleMessage's backend infrastructure in approximately 20 minutes, accessing stored message archives. The vulnerability became high-profile after news reporting revealed that U.S. government officials, including senior national security staff, were using TM SGNL for sensitive communications.
Affected Versions
| Product | Status |
|---|---|
| TeleMessage TM SGNL (all versions) | Vulnerable — no patch issued; service suspended |
| TeleMessage TM WhatsApp | Affected by same architecture |
| TeleMessage TM WeChat | Affected by same architecture |
TeleMessage suspended all services following the May 2025 breach. No patched version was released.
Technical Details
TM SGNL modifies the Signal client to intercept outbound messages before encryption reaches the recipient's device. The plaintext is routed to TeleMessage's Java-based archiving backend (a Spring Boot application), where it is stored for compliance retrieval.
The CWE-912 classification (Hidden Functionality) applies because the archiving pipeline is not disclosed to message recipients and operates outside their knowledge or consent. From an architectural standpoint:
- Message interception: Outbound messages are captured by the modified client before Signal's E2E encryption applies to them for the backend pathway.
- Cleartext storage: The backend stores message contents, metadata, and sender/recipient identifiers in plaintext.
- Unauthenticated access: Related CVEs (CVE-2025-48927, CVE-2025-48928) demonstrate the backend was additionally configured to expose Java heap dumps via Spring Boot Actuator, making stored credentials and message fragments retrievable without authentication.
The formal CVSS score (1.9 LOW) reflects the narrow technical scope of the CWE-912 classification; the real-world impact of the cleartext archiving design substantially exceeds this score.
Discovery
A security researcher (reported by 404 Media in May 2025) breached TeleMessage's backend infrastructure and extracted data in approximately 20 minutes. The researcher reported finding plaintext message content, contact information, and credentials belonging to TM SGNL users including individuals working for U.S. government agencies.
Exploitation Context
The May 2025 breach demonstrated active real-world exploitation. The attacker accessed:
- Archived message content from TM SGNL users
- Contact details and metadata for government and corporate users
- Credentials from the server's heap memory (see related CVE-2025-48927, CVE-2025-48928)
The incident drew particular attention because U.S. government officials had used TM SGNL for communications that users may have assumed were protected by Signal's encryption. TeleMessage suspended all services following public disclosure.
Remediation
- Discontinue use of TeleMessage products — no patch is available; the archiving design is a fundamental architectural issue.
- Migrate to approved alternatives — use Signal directly or other communications platforms that do not route messages through third-party archiving backends.
- Review past communications — assume that all messages sent via TM SGNL may have been accessible to TeleMessage and, following the breach, to the attacker.
- Assess related CVEs — CVE-2025-48927 and CVE-2025-48928 describe the exposed Spring Boot Actuator and heap dump leakage that accompanied this vulnerability.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-47729 |
| Vendor / Product | TeleMessage — TM SGNL |
| NVD Published | 2025-05-08 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 1.9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N |
| Severity | LOW |
| CWE | CWE-912 find similar ↗ |
| CISA KEV Added | 2025-05-12 |
| CISA KEV Deadline | 2025-06-02 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-05-04 | Security researcher breaches TeleMessage backend and discovers cleartext message archives |
| 2025-05-05 | 404 Media reports TeleMessage breach; TeleMessage suspends all services |
| 2025-05-08 | CVE-2025-47729 published |
| 2025-05-12 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-06-02 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-47729 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| 404 Media — A Hacker Got All of TeleMessage's Data in 20 Minutes | News |