A crucial safety vulnerability in TeleMessageTM SGNL, an enterprise messaging system modeled after Sign, has been actively exploited by cybercriminals looking for to extract delicate person credentials and private information.
The flaw, designated CVE-2025-48927, impacts authorities businesses and enterprises utilizing this safe communication platform for archiving confidential messages.
Key Takeaways1. CVE-2025-48927 in Sign clone TeleMessageTM SGNL exposes passwords.2. 11 IPs exploiting the vulnerability, 2,000+ scanning for weak methods in 90 days.3. Disable /heapdump endpoint, block malicious IPs, improve Spring Boot instantly.
Overview of Spring Boot Actuator Flaw
The vulnerability stems from TeleMessageTM SGNL’s continued use of legacy Spring Boot Actuator configurations, the place a diagnostic /heapdump endpoint stays publicly accessible with out authentication.
This endpoint can return full snapshots of heap reminiscence, roughly 150MB in dimension, doubtlessly containing plaintext usernames, passwords, and different delicate information.
Whereas newer variations of Spring Boot have addressed this safety concern by disabling public entry to such endpoints by default, TeleMessage cases continued utilizing the weak configuration by at the least Might 5, 2025.
The severity of this challenge prompted the Cybersecurity and Infrastructure Safety Company (CISA) so as to add CVE-2025-48927 to its Identified Exploited Vulnerabilities (KEV) catalog on July 14th.
Lively Exploitation of CVE-2025-48927
GreyNoise Analysis has recognized vital malicious exercise concentrating on this vulnerability. As of July 16, 11 IP addresses have been noticed trying to use CVE-2025-48927.
The safety agency created a devoted monitoring tag on July 10 to watch these exploitation makes an attempt.
Extra regarding is the broader reconnaissance exercise previous these assaults. GreyNoise telemetry reveals that 2,009 IP addresses have scanned for Spring Boot Actuator endpoints throughout the previous 90 days.
Of those, 1,582 IPs particularly focused /well being endpoints, generally utilized by attackers to determine internet-exposed Spring Boot deployments weak to exploitation.
The analysis staff has launched a devoted tag to trace scanning actions: “TeleMessageTM SGNL Spring Boot Actuator /heapdump Disclosure”.
This systematic strategy to figuring out weak methods suggests organized cybercriminal campaigns fairly than opportunistic assaults.
Threat FactorsDetailsAffected ProductsTeleMessageTM SGNL (Sign clone enterprise messaging system)ImpactExposure of plaintext usernames, passwords, and delicate information by heap reminiscence dumps (~150MB snapshots)Exploit PrerequisitesPublicly accessible /heapdump endpoint with out authentication in legacy Spring Boot Actuator configurationsCVSS 3.1 Score5.3 (Medium)
Organizations using Spring Boot frameworks, significantly these working safe messaging environments, should instantly confirm whether or not their /heapdump endpoints are uncovered to the web.
GreyNoise recommends blocking malicious IPs utilizing their menace intelligence feeds, particularly concentrating on SPRING BOOT ACTUATOR CRAWLER and SPRING BOOT ACTUATOR HEALTH SCANNER actions.
Crucial remediation steps embody disabling or proscribing entry to the /heapdump endpoint, limiting publicity of all Actuator endpoints except explicitly required, and upgrading to supported Spring Boot variations with safe defaults.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
