CVE-2025-48929

The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary.

CVSS v3 4.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/	Press/Media Coverage

Configurations

Configuration 1 (hide)

cpe:2.3:a:smarsh:telemessage:*:*:*:*:*:*:*:*

History

22 Oct 2025, 15:01

Type	Values Removed	Values Added
First Time		Smarsh telemessage Smarsh
CWE		CWE-613
References	~~() https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/ -~~	() https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/ - Press/Media Coverage
CPE		cpe:2.3:a:smarsh:telemessage::::::::

01 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-28 17:15

Updated : 2025-10-22 15:01

NVD link : CVE-2025-48929

Mitre link : CVE-2025-48929

CVE.ORG link : CVE-2025-48929

JSON object : View

Products Affected

smarsh

telemessage

CWE

CWE-922

Insecure Storage of Sensitive Information

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-48929", "cveTags": [{"tags": ["exclusively-hosted-service"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-05-28T17:15:25.233", "references": [{"url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/", "tags": ["Press/Media Coverage"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary."}, {"lang": "es", "value": "El servicio TeleMessage, hasta el 5 de mayo de 2025, implementa la autenticaci\u00f3n a trav\u00e9s de una credencial de larga duraci\u00f3n (por ejemplo, no un token con un tiempo de vencimiento corto) que se puede reutilizar en una fecha posterior si un adversario la descubre, como se explot\u00f3 en la naturaleza en mayo de 2025."}], "lastModified": "2025-10-22T15:01:11.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smarsh:telemessage:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44FADD39-A519-4B77-920B-5BE3A93D7D33", "versionEndIncluding": "2025-05-05"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}