“Although the exploitation methods might not be complicated (hence the low score), the outcome—access to plaintext chat logs despite assertions of end-to-end encryption—constitutes a serious breach of confidentiality, which is essential for a secure messaging service, especially one that may handle sensitive communications,” Schwake noted.
CISA’s advice for agencies and businesses to avoid using TeleMessage likely stems from this confirmed real-world exploitation and its significant impact on data privacy, regardless of the technical score, he added.
Government officials are especially vulnerable
“This vulnerability was most likely added to the KEV list due to the reported use of TeleMessage by government officials,” Thomas Richards, infrastructure security practice director at Black Duck, told CSO in a comment.
