The Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities in TeleMessage TM SGNL to its Known Exploited Vulnerabilities (KEV) catalog on July 2, 2025, after hackers demonstrated that the messaging archive platform stored chat logs in plaintext on its servers. The disclosure reveals that private Telegram messages belonging to cryptocurrency exchange Coinbase and a list of hundreds of U.S. Customs and Border Protection employees were accessed by threat actors exploiting the flaw, now tracked as CVE-2025-47729.
The Exploit Mechanics
The vulnerability centers on TeleMessage’s fundamental architecture. Despite marketing claims that its Signal clone, TM SGNL, supports end-to-end encryption, security researcher Micah Lee discovered through source code analysis that communication between the application and the final message archive destination is not encrypted end-to-end. This architectural weakness means that any attacker gaining access to TeleMessage’s archive server can read plaintext chat logs without needing to break encryption.
Threat actors exploited precisely this gap. By compromising the archive server infrastructure, hackers obtained user data including private Telegram messages and contact lists. The attack did not require sophisticated cryptographic breaking — the data was simply sitting unencrypted on a server that was insufficiently protected against unauthorized access.
The vulnerability carries particular significance because TeleMessage, owned by Oregon-based Smarsh, positions itself as a compliance archiving tool for regulated industries and government agencies. The promise of secure message archiving was undercut by the plaintext storage reality.
Affected Systems
The breach affected users across multiple platforms. TeleMessage creates clones of popular messaging applications — Signal, WhatsApp, WeChat, and Telegram — that route messages through its archiving infrastructure. Every user of these cloned applications had their messages potentially exposed. The confirmed victims include Coinbase employees whose private Telegram conversations were accessed, and a substantial database of CBP personnel information.
The platform had been adopted within segments of the U.S. government, including by former National Security Advisor Mike Waltz, whose use of the application drew public scrutiny following the earlier “Signalgate” incident. The discovery that an Israeli-owned messaging archive tool with inadequate security was being used at the highest levels of government amplifies concerns about the vetting process for communications tools handling sensitive information.
The Mitigation Strategy
Smarsh responded to the breach by temporarily suspending all TeleMessage services while conducting a full investigation. CISA’s addition of the vulnerability to the KEV catalog triggers a mandatory remediation requirement for federal agencies, which must address the flaw within three weeks. However, since CVE-2025-47729 is a server-side vulnerability, there is no patch that end users can apply — the only effective mitigation is to stop using the product entirely.
For organizations that relied on TeleMessage for compliance archiving, the incident demands an immediate review of alternative solutions. Any platform that claims to archive encrypted communications must be independently verified to maintain encryption throughout the data lifecycle, not merely during transit between endpoints.
Lessons Learned
The TeleMessage incident offers several critical takeaways for the cryptocurrency and broader technology community. First, end-to-end encryption claims must be verified independently. TeleMessage advertised E2E encryption while its archive server stored plaintext — a discrepancy that no amount of marketing should obscure. Second, archive and compliance tools that intercept messages inherently introduce a new attack surface. Every intermediary in a communication chain represents a potential point of failure. Third, the exposure of Coinbase’s internal Telegram communications demonstrates that even sophisticated cryptocurrency companies can be affected by vulnerabilities in third-party tools they use for daily operations.
With Bitcoin trading at approximately $108,859 and the broader crypto market capitalization exceeding $3 trillion, the stakes for operational security in the cryptocurrency industry have never been higher. Every data exposure incident, even through indirect vectors like messaging archive tools, can provide attackers with intelligence useful for social engineering, phishing, or targeted attacks against cryptocurrency operations.
User Action Required
Anyone who has used TeleMessage TM SGNL, or any TeleMessage clone of Signal, WhatsApp, Telegram, or WeChat, should assume their communications were potentially exposed. Immediate steps include discontinuing use of all TeleMessage products, reviewing any sensitive information shared through these platforms, and changing credentials for any accounts discussed in archived conversations. Organizations should audit their compliance archiving solutions to verify that encryption claims match actual implementation, and should prefer solutions where the archiving mechanism does not require routing messages through a third-party server that stores plaintext.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific security concerns.
plaintext chat logs on an archive server marketed as end-to-end encrypted. telemessage basically lied to every client they had
CBP employee names next to coinbase transaction logs on the same unencrypted server. two completely different security implications and both are catastrophic
CISA adding telemessage tm sgnl to the list shows how bad that coinbase data breach actually was. archive server security is always the weakest link.
cisa adding it to the kev catalog means every federal agency has to patch. the compliance ripple effect alone will be huge
Keiko T. KEV catalog means every federal agency has 14 days to patch. the compliance scramble inside government IT right now must be chaos
Keiko T. the compliance ripple is already hitting agencies that used TeleMessage for records retention. they have 30 days to remediate per BOD 22-01 and theres no good replacement ready
coinbase data on an archive server? that is such a basic failure. glad cisa is finally tracking the telemessage vulnerability.
plaintext on an archive server in 2025. companies still treating encryption like an optional feature smh
cipher_punk_ plaintext archive storage in 2025 is wild. the marketing said end-to-end encrypted but the actual implementation just… wasnt. classic security theater
another day another coinbase data leak. archive servers are a goldmine for attackers using that tm sgnl exploit.
CVE-2025-47729 and hundreds of CBP employee names exposed. the blast radius on this one is insane
cbp employee names plus coinbase data on the same server. the legal fallout from this is going to take years
leak_analyst CBP employee names and coinbase data on the same unencrypted server is a compliance nightmare. both orgs are gonna get sued into oblivion