The security flaw, designated CVE-2025-48927, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 14th, highlighting the urgent need for organizations to address this exposure.
The vulnerability affects deployments of TeleMessageTM SGNL, a secure communications platform used by government agencies and enterprises to archive confidential messages.
The security issue stems from the platform’s continued use of legacy configurations in Spring Boot Actuator, where a diagnostic /heapdump endpoint remains publicly accessible without authentication.
When exploited, this endpoint can return a complete snapshot of heap memory — approximately 150MB — containing plaintext usernames, passwords, and other sensitive information.
While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025.
The vulnerability was initially disclosed in May 2025 but has gained renewed attention following evidence of active exploitation attempts.
Security researchers note that the flaw represents a significant risk to organizations relying on the platform for secure communications, particularly given the sensitive nature of data typically handled by such systems.
GreyNoise intelligence has documented concerning levels of reconnaissance and exploitation activity targeting this vulnerability.
As of July 16, the security firm has observed 11 distinct IP addresses attempting to exploit CVE-2025-48927, with a dedicated tracking tag created on July 10.
The threat landscape extends beyond direct exploitation attempts.
GreyNoise telemetry reveals extensive scanning activity for Spring Boot Actuator endpoints, which security experts consider a potential precursor to identifying systems affected by CVE-2025-48927.
Over the past 90 days, 2,009 IP addresses have been scanned for Spring Boot Actuator endpoints, with 1,582 specifically targeting the /health endpoints commonly used to detect internet-exposed Spring Boot deployments.
Organizations using Spring Boot technology, particularly in internal tools or secure messaging environments, must immediately verify whether the /heapdump The endpoint is exposed to the internet.
GreyNoise recommends blocking malicious IPs using their threat intelligence tags, including “SPRING BOOT ACTUATOR CRAWLER,” “SPRING BOOT ACTUATOR HEALTH SCANNER,” and “TELEMESSAGE TM SGNL SPRING BOOT ACTUATOR /HEAPDUMP DISCLOSURE CVE-2025-48927 ATTEMPT”.
Critical remediation steps include disabling or restricting access to the /heapdump endpoint, limiting exposure of all Actuator endpoints unless explicitly required, and upgrading to supported Spring Boot versions where secure defaults are enforced.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post Signal App Clone Telemessage App Vulnerability Could Expose Passwords, Active Exploitation Reported appeared first on Cyber Security News.
PORTLAND, Maine (AP) — Maine’s Democratic governor on Friday vetoed what would have been the…
PORTLAND, Maine (AP) — Maine’s Democratic governor on Friday vetoed what would have been the…
Federal agents draw their guns out after an incident at the annual White House Correspondents…
Sony Pictures and Amazon’s Prime Video have published an official trailer for their Spider-Noir show,…
Star Trek: Strange New Worlds Season 4 will premiere on Paramount+ on Thursday, July 23,…
Vivienne Medrano’s adult animation hit, Hazbin Hotel, will come to an end with Season 5,…
This website uses cookies.