Micah Lee

**Name of the Vulnerable Software and Affected Versions** TeleMessage service through 2025-05-05 **Description** The issue concerns the storage of certain cleartext information in memory by the TeleMessage service. This information may be accessible to an adversary through various means. There have been real-world incidents where this issue was exploited, specifically in May 2025. **Recommendations** For the TeleMessage service through 2025-05-05, consider implementing memory encryption or secure data storage practices to protect sensitive information. As a temporary workaround, restrict access to sensitive data and monitor for any suspicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeleMessage service through 2025-05-05 **Description** The issue allows attackers to discover sensitive information, including usernames, e-mail addresses, passwords, and telephone numbers, in the admin panel of the TeleMessage service. This has been exploited in the wild. **Recommendations** For versions through 2025-05-05, consider restricting access to the admin panel until a fix is available. As a temporary workaround, avoid using the admin panel for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeleMessage service through 2025-05-05 **Description** The issue concerns the configuration of Spring Boot Actuator with an exposed heap dump endpoint at the "/heapdump" URI. This has been exploited in the wild in May 2025. **Recommendations** For versions through 2025-05-05, consider restricting access to the "/heapdump" URI to minimize the risk of exploitation. As a temporary workaround, disabling the heap dump endpoint until a more permanent solution is available is recommended. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeleMessage service through 2025-05-05 **Description** The issue concerns the implementation of authentication through a long-lived credential in the TeleMessage service, which can be reused if discovered by an adversary. This has been exploited in the wild in May 2025. **Recommendations** For the TeleMessage service through 2025-05-05, consider implementing short-lived authentication tokens to minimize the risk of credential reuse. As a temporary workaround, restrict access to sensitive features that rely on the long-lived credential until a more secure authentication mechanism is implemented.

**Name of the Vulnerable Software and Affected Versions** TeleMessage versions prior to 2025-05-05 **Description** The TeleMessage archiving backend holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage "End-to-End encryption from the mobile phone through to the corporate archive" documentation. This issue has been exploited in the wild in May 2025. The vulnerability allows unauthorized access to private messages and group chats that were intended to be secure, raising concerns about data security for individuals and government officials who use the application. It is estimated that a significant number of devices may be affected, including those used by high-ranking government officials and federal agencies. **Recommendations** As a temporary workaround, consider disabling the use of the TeleMessage archiving backend until a patch is available. Restrict access to the TeleMessage application to minimize the risk of exploitation. Avoid using the TeleMessage application for sensitive communications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeleMessage archiving backend versions through 2025-05-05 **Description** The issue concerns the acceptance of API calls from the TM SGNL (aka Archive Signal) app to request an authentication token, using hardcoded credentials. The credentials used are `logfile` for the user and `enRR8UVVywXYbFkqU#QDPRkO` for the password. **Recommendations** For versions through 2025-05-05, consider disabling the API endpoint that accepts authentication token requests from the TM SGNL app until a patch is available. Restrict access to the affected API endpoint to minimize the risk of exploitation. Avoid using the hardcoded credentials `logfile` and `enRR8UVVywXYbFkqU#QDPRkO` in the affected API calls until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Multipass versions prior to 1.7.0 **Description** The issue allows any local process to connect to the localhost TCP control socket, enabling mounts from the operating system to a guest. This can lead to privilege escalation. **Recommendations** For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GNOME Nautilus versions prior to 3.23.90 **Description** The issue allows attackers to spoof a file type by using the .desktop file extension. This can be demonstrated by an attack where a .desktop file's Name field ends in .pdf, but the Exec field launches a malicious "sh -c" command. The UI does not indicate that a file has the potentially unsafe .desktop extension; instead, it only shows the .pdf extension. An attack requires the .desktop file to have execute permission. **Recommendations** For versions prior to 3.23.90, the solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field. As a temporary workaround, consider restricting the execution of .desktop files to minimize the risk of exploitation.