A critical vulnerability in TeleMessageTM SGNL, an enterprise messaging system modeled after Signal, has been actively exploited by threat actors seeking to steal sensitive credentials and user data.
The security flaw, designated CVE-2025-48927, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 14th, highlighting the urgent need for organizations to address this exposure.
Critical Vulnerability Exposes Sensitive Data
The vulnerability affects deployments of TeleMessageTM SGNL, a secure communications platform used by government agencies and enterprises to archive confidential messages.
The security issue stems from the platform’s continued use of legacy configurations in Spring Boot Actuator, where a diagnostic /heapdump endpoint remains publicly accessible without authentication.
When exploited, this endpoint can return a complete snapshot of heap memory — approximately 150MB — containing plaintext usernames, passwords, and other sensitive information.
While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025.
The vulnerability was initially disclosed in May 2025 but has gained renewed attention following evidence of active exploitation attempts.
Security researchers note that the flaw represents a significant risk to organizations relying on the platform for secure communications, particularly given the sensitive nature of data typically handled by such systems.
Active Exploitation Attempts Detected
GreyNoise intelligence has documented concerning levels of reconnaissance and exploitation activity targeting this vulnerability.
As of July 16, the security firm has observed 11 distinct IP addresses attempting to exploit CVE-2025-48927, with a dedicated tracking tag created on July 10.
The threat landscape extends beyond direct exploitation attempts.
GreyNoise telemetry reveals extensive scanning activity for Spring Boot Actuator endpoints, which security experts consider a potential precursor to identifying systems affected by CVE-2025-48927.
Over the past 90 days, 2,009 IP addresses have been scanned for Spring Boot Actuator endpoints, with 1,582 specifically targeting the /health endpoints commonly used to detect internet-exposed Spring Boot deployments.
Immediate Action Required for Organizations
Organizations using Spring Boot technology, particularly in internal tools or secure messaging environments, must immediately verify whether the /heapdump The endpoint is exposed to the internet.
GreyNoise recommends blocking malicious IPs using their threat intelligence tags, including “SPRING BOOT ACTUATOR CRAWLER,” “SPRING BOOT ACTUATOR HEALTH SCANNER,” and “TELEMESSAGE TM SGNL SPRING BOOT ACTUATOR /HEAPDUMP DISCLOSURE CVE-2025-48927 ATTEMPT”.
Critical remediation steps include disabling or restricting access to the /heapdump endpoint, limiting exposure of all Actuator endpoints unless explicitly required, and upgrading to supported Spring Boot versions where secure defaults are enforced.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The security flaw, designated CVE-2025-48927, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 14th){kind=link}