Researchers are seeing exploitation makes an attempt for the CVE-2025-48927 vulnerability within the TeleMessage SGNL app, which permits retrieving usernames, passwords, and different delicate knowledge.
TeleMessage SGNL is a Sign clone app now owned by Smarsh, a compliance-focused firm that gives cloud-based or on-premisses communication options to numerous organizations.
Scanning for weak endpoints
Menace monitoring agency GreyNoise has noticed a number of makes an attempt to use CVE-2025-48927, possible by totally different risk actors.
“As of July 16, GreyNoise has noticed 11 IPs making an attempt to use CVE-2025-48927,” stories GreyNoise.
“Associated reconnaissance conduct is ongoing. Our telemetry exhibits energetic scanning for Spring Boot Actuator endpoints, a possible precursor to figuring out techniques affected by CVE-2025-48927.”
Based on GreyNoise, greater than two thousand IPs have scanned for Dash Boot Actuator endpoints over the previous months, a little bit over 75% of them focusing on the ‘/well being’ endpoints particularly.
The CVE-2025-48927 vulnerability is attributable to exposing the ‘/heapdump’ endpoint from Spring Boot Actuator with out authentication. TeleMessage addressed the problem however some on-prem installations are nonetheless weak.
When utilizing outdated Spring Boot configurations that don’t limit entry to diagnostic endpoints, the flaw lets an attacker obtain a full Java heap reminiscence dump of roughly 150MB, which can include plaintext usernames, passwords, tokens, and different delicate knowledge.
To defend towards these assaults, it is suggested to disable or limit entry to the /heapdump endpoint solely to trusted IP ranges and restrict the publicity of all Actuator endpoints as a lot as doable.
Archiving Sign messages
The TeleMessage SGNL app is designed to supply encrypted communication with built-in archival, so that every one chats, calls, and attachments are routinely saved for compliance, auditing, or record-keeping.
These claims have been disputed by previous analysis saying that end-to-end encryption isn’t maintained and delicate knowledge, together with messages, is saved in plaintext.
This was uncovered in Could 2025, when a hacker accessed a diagnostic endpoint and downloaded credentials and archived content material. The occasion triggered considerations about nationwide safety within the U.S., after revelations that the product was being utilized by the Customs & Border Safety and officers, together with Mike Waltz.
CVE-2025-48927 was disclosed in Could and CISA added it to the Identified Exploited Vulnerabilities (KEV) catalog on July 1, requesting that every one federal businesses apply mitigations by July 22.
The company additionally listed CVE-2025-48928, a flaw in SGNL the place a JSP app exposes a reminiscence dump containing passwords despatched over HTTP to unauthorized customers.
Comprise rising threats in actual time – earlier than they affect your enterprise.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
