A vulnerability in TeleMessageTM SGNL, a secure messaging platform modeled after Signal and widely used by government agencies and regulated enterprises, is now under active exploitation.
GreyNoise confirms that attackers are probing for and exploiting CVE-2025-48927, a flaw that could allow unauthenticated access to memory dumps containing plaintext credentials.
The vulnerability, first disclosed in May 2025, stems from insecure configurations in Spring Boot Actuator, a component often embedded in Java applications for diagnostics. Specifically, TeleMessage SGNL deployments continued exposing the /heapdump endpoint to the public internet, even though recent Spring Boot versions have disabled this by default. If reachable, the endpoint delivers a full Java heap memory snapshot, typically exceeding 150MB, which may contain plaintext usernames, passwords, session tokens, and message fragments.
GreyNoise, a threat intelligence firm specializing in global scanning telemetry, added a detection tag for this flaw on July 10. By July 16, the company observed 11 distinct IPs actively attempting to exploit the vulnerability. More broadly, over 2,000 IP addresses have been scanned for Spring Boot Actuator endpoints in the last 90 days, with over 1,500 targeting /health, a known discovery vector for such deployments. GreyNoise warns that reconnaissance activity is likely a precursor to broader exploitation.
TeleMessage is an Israeli software firm that develops modified versions of secure messaging apps like Signal, WhatsApp, and WeChat to meet regulatory requirements. Its SGNL product is designed for institutional use and silently archives encrypted messages to external systems for compliance purposes. However, as revealed in prior reports, including a breach involving Trump administration officials, the modifications introduce serious security risks. Archived data was shown to travel over inadequately protected channels, making it possible for attackers to extract sensitive communications with minimal effort.
CVE-2025-48927 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 14, an indication that the flaw poses a high threat to federal systems. Public telemetry and incident response data suggest that TeleMessage continued using the outdated Spring Boot configuration through at least early May, leaving critical systems vulnerable. It remains unclear how many instances remain exposed.
While GreyNoise has not disclosed which organizations are being targeted, previous breaches involving TeleMessage systems affected users at U.S. Customs and Border Protection, Coinbase, and several financial institutions.
Leave a Reply