Researchers are seeing exploitation makes an attempt for the CVE-2025-48927 vulnerability within the TeleMessage SGNL app, which permits retrieving usernames, passwords, and different delicate knowledge.
TeleMessage SGNL is a Sign clone app now owned by Smarsh, a compliance-focused firm that gives cloud-based or on-premisses communication options to numerous organizations.
Scanning for weak endpoints
Risk monitoring agency GreyNoise has noticed a number of makes an attempt to take advantage of CVE-2025-48927, doubtless by completely different menace actors.
“As of July 16, GreyNoise has noticed 11 IPs trying to take advantage of CVE-2025-48927,” experiences GreyNoise.
“Associated reconnaissance conduct is ongoing. Our telemetry reveals lively scanning for Spring Boot Actuator endpoints, a possible precursor to figuring out programs affected by CVE-2025-48927.”
In accordance with GreyNoise, greater than two thousand IPs have scanned for Dash Boot Actuator endpoints over the previous months, slightly over 75% of them concentrating on the ‘/well being’ endpoints particularly.
The CVE-2025-48927 vulnerability is attributable to exposing the ‘/heapdump’ endpoint from Spring Boot Actuator with out authentication. TeleMessage addressed the difficulty however some on-prem installations are nonetheless weak.
When utilizing outdated Spring Boot configurations that don’t prohibit entry to diagnostic endpoints, the flaw lets an attacker obtain a full Java heap reminiscence dump of roughly 150MB, which can comprise plaintext usernames, passwords, tokens, and different delicate knowledge.
To defend towards these assaults, it’s endorsed to disable or prohibit entry to the /heapdump endpoint solely to trusted IP ranges and restrict the publicity of all Actuator endpoints as a lot as potential.
Archiving Sign messages
The TeleMessage SGNL app is designed to offer encrypted communication with built-in archival, so that each one chats, calls, and attachments are mechanically saved for compliance, auditing, or record-keeping.
These claims have been disputed by previous analysis saying that end-to-end encryption isn’t maintained and delicate knowledge, together with messages, is saved in plaintext.
This was uncovered in Could 2025, when a hacker accessed a diagnostic endpoint and downloaded credentials and archived content material. The occasion triggered considerations about nationwide security within the U.S., after revelations that the product was being utilized by the Customs & Border Safety and officers, together with Mike Waltz.
CVE-2025-48927 was disclosed in Could and CISA added it to the Recognized Exploited Vulnerabilities (KEV) catalog on July 1, requesting that each one federal companies apply mitigations by July 22.
The company additionally listed CVE-2025-48928, a flaw in SGNL the place a JSP app exposes a reminiscence dump containing passwords despatched over HTTP to unauthorized customers.
Comprise rising threats in actual time – earlier than they affect your corporation.
Find out how cloud detection and response (CDR) offers security groups the sting they want on this sensible, no-nonsense information.
