CISA Warns of TeleMessage TM SGNL Vulnerabilities Exploited in Attacks

CISA has issued an urgent warning regarding two critical vulnerabilities in TeleMessage TM SGNL that threat actors are currently exploiting in active attack campaigns.

The vulnerabilities, tracked as CVE-2025-48927 and CVE-2025-48928, pose significant security risks to organizations utilizing this communication platform, with CISA adding both flaws to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2025. 

Key Takeaways
1. CVE-2025-48927 and CVE-2025-48928 expose sensitive data through insecure Spring Boot Actuator and JSP configurations in TeleMessage TM SGNL.
2. CISA confirmed active exploitation and set a remediation deadline of July 22, 2025, for federal agencies.
3. Apply vendor patches immediately or discontinue product use in accordance with BOD 22-01 guidance.
4. Unpatched systems risk data theft, privilege escalation, and potential ransomware attacks.

Organizations have until July 22, 2025, to implement necessary mitigations or discontinue use of the affected product to protect their infrastructure from potential compromises.

Spring Boot Actuator Flaw (CVE-2025-48927)

The first vulnerability, CVE-2025-48927, represents an initialization of a resource with an insecure default configuration flaw, classified under CWE-1188. 

This critical security weakness stems from improper configuration of the Spring Boot Actuator component, which inadvertently exposes a sensitive heap dump endpoint accessible via the /heapdump URI path. 

This misconfiguration allows unauthorized attackers to access memory dumps containing potentially sensitive information, including authentication credentials, session tokens, and other confidential data stored in the application’s memory space.

Core Dump Exposure Flaw (CVE-2025-48928)

The second vulnerability, CVE-2025-48928, involves the exposure of core dump files to unauthorized control spheres, categorized under CWE-528. 

This flaw affects the platform’s JSP (JavaServer Pages) application architecture, where heap content becomes accessible in a manner equivalent to traditional core dumps. 

The vulnerability is particularly concerning because it can expose passwords and other sensitive authentication data that were previously transmitted over HTTP connections, creating a significant data exposure risk for organizations relying on TeleMessage TM SGNL for secure communications.

CVEs	Description	Affected Products	CVSS 3.1 Score
CVE-2025-48927	An initialization of a resource with an insecure default vulnerability.	TeleMessage TM SGNL	5.3 (Medium)
CVE-2025-48928	An exposure of core dump file to an unauthorized control sphere vulnerability	TeleMessage TM SGNL	4.0 (Medium)

Mitigations

CISA has classified both vulnerabilities as actively exploited threats, though the agency notes that their potential use in ransomware campaigns remains unknown at this time. 

The federal cybersecurity agency strongly recommends that organizations immediately apply vendor-provided mitigations if available, emphasizing the critical nature of these security flaws. 

Additionally, CISA advises organizations to follow applicable Binding Operational Directive (BOD) 22-01 guidance specifically related to cloud services security requirements.

For organizations unable to locate vendor mitigation instructions or those finding that adequate mitigations are unavailable, CISA recommends the more drastic step of discontinuing use of the TeleMessage TM SGNL product entirely. 

This recommendation underscores the severity of the vulnerabilities and the potential impact on organizational security posture.

The July 22, 2025, deadline provides a narrow window for organizations to assess their exposure, implement appropriate security measures, and ensure compliance with federal cybersecurity directives while maintaining operational continuity during this critical remediation period.

The post CISA Warns of TeleMessage TM SGNL Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.