Hackers are trying to steal passwords and sensitive data from users of Signal clone

Security researchers and U.S. cybersecurity agencies have issued urgent warnings about active exploitation of a critical vulnerability in TeleMessage, a modified version of Signal marketed to government agencies and corporations. The flaw, tracked as CVE-2025-48927, allows attackers to intercept unencrypted usernames, passwords, and sensitive communications from affected users.

TeleMessage gained notoriety earlier this year when it was revealed that multiple Trump administration officials, including former National Security Advisor Mike Waltz, used the platform to communicate about sensitive matters. This followed a May 2025 data breach where hackers infiltrated the systems of organizations like U.S. Customs and Border Protection and Coinbase, exposing private group chats and operational discussions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active malicious use in the wild. Despite this designation, TeleMessage has not publicly addressed mitigation strategies or acknowledged ongoing attacks.

“The simplicity of this exploit is shocking. Unencrypted credentials and messages are exposed with basic hacking techniques, yet critical systems remain unprotected.”
Howdy Fisher, GreyNoise Security Researcher

Organizations using TeleMessage for compliance purposes are advised to:

1. Immediately disconnect vulnerable devices from networks
2. Audit all archived communications for signs of tampering
3. Migrate to platforms with end-to-end encryption by default

This incident highlights the risks of modified secure messaging apps, particularly when used for sensitive government operations. Security experts emphasize that extending or altering encryption protocols often introduces unforeseen vulnerabilities that malicious actors can exploit.