CVE-2025-47730
CVE-2025-47730
In short
TeleMessage's archiving system accepts API requests using hardcoded credentials (a generic logfile username and a fixed password), allowing anyone with knowledge of these credentials to request authentication tokens without proper authorization.
Technical detail
The TeleMessage backend implements hardcoded credentials (CWE-798) in its API authentication mechanism, accepting requests from the TM SGNL app using a static username and password. An attacker with knowledge of these credentials can authenticate and obtain tokens, bypassing proper user identity verification and potentially accessing archived data or performing unauthorized operations.
Summary generated and translated by AI from the official description.
The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
TeleMessage · archiving backendWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://arstechnica.com/security/2025/05/signal-clone-used-by-trump-official-stops-operations-after-report-it-was-hacked/https://github.com/micahflee/TM-SGNL-Android/blob/bd7ccbb8bc79193fc4c57cae7cc1051e6250fa89/app/src/tm/java/org/archiver/ArchiveConstants.kt#L45-L46https://news.ycombinator.com/item?id=43909220https://www.theregister.com/2025/05/05/telemessage_investigating/