CISA Alerts Former National Security Advisor to TeleMessage App Flaw

CISA just rang the alarm about this gnarly bug in TeleMessage—that’s the messaging app Trump’s ex-national security advisor, Mike Waltz, was messing around with not so long ago.

Waltz’s run in the White House didn’t last long, and, yeah, he managed to step in it twice, both times thanks to his questionable choice of messaging apps. There was that whole “Signalgate” mess, where he accidentally dropped a journalist into a Signal group with high-level officials talking about military stuff in Yemen. Real smooth move, right?

After that, eagle-eyed folks spotted Waltz using something called TeleMessage Signal on his phone. Cue: cybersecurity side-eye.

Turns out that whole Signalgate drama basically pushed Trump to toss Waltz out of his advisor seat. Oops.

So, TeleMessage—built in Israel but technically owned these days by Smarsh in Oregon—lets people archive chats from stuff like WhatsApp, Telegram, Signal, you name it. When word got out the US government had been using it, the security folks started sweating. And, yeah, they had reason to.

Hackers strutted in and bragged about grabbing private messages—stuff from Signal, WhatsApp, Telegram, WeChat clones—all siphoned off because, get this, those “secure” chat logs? Zero encryption. Wide open. Now, the feds’ messages didn’t leak, but the proof-of-concept was kinda embarrassing.

Smarsh freaked and just shut TeleMessage down across the board to take a closer look.

Micah Lee, who’s basically the Ferris Bueller of cybersecurity research, poked at their code and found out TM SGNL (their take on Signal) doesn’t even do real end-to-end encryption from the app to the message archive. So an attacker could basically waltz right in and snag conversations as plain text. Yikes.

Apparently, that’s exactly what some hackers did—they nabbed chat logs straight from the archive server, including private Telegram chats from big names like Coinbase and even a list of hundreds of Customs and Border Protection employees. Oof.

This whole mess has been stamped with its very own CVE number: CVE-2025-47729, and it landed right on CISA’s “Known Exploited Vulnerabilities” hit list. Bottom line? If it’s on that list, federal agencies have less than a month to get it fixed or unplug the thing. Everybody else? Well, probably time to rethink your priorities and patch up.

Honestly, with TeleMessage, since the problem sits on the server side, there’s basically nothing regular users can do except… yeah, stop using it. Pretty much what CISA’s hinting at—just bail until they figure out how to patch that sieve they call security.