CVE-2025-48931

CVSS 3.2 LOWEPSS 0.1%CWE-328

In short

TeleMessage uses MD5 to protect passwords, which is an outdated and weak hashing method that makes it easier for attackers to crack passwords if they gain access to the password database.

Technical detail

MD5 is cryptographically broken and unsuitable for password hashing (CWE-328). Attackers with access to the password database can exploit MD5's collision properties and perform efficient dictionary or rainbow table attacks with minimal computational resources to recover plaintext passwords.

Summary generated and translated by AI from the official description.

The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort.

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Affected products

TeleMessage · service

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/