Researchers are seeing exploitation makes an attempt for the CVE-2025-48927 vulnerability within the TeleMessage SGNL app, which permits retrieving usernames, passwords, and different delicate information.
TeleMessage SGNL is a Sign clone app now owned by Smarsh, a compliance-focused firm that gives cloud-based or on-premisses communication options to numerous organizations.
Scanning for weak endpoints
Menace monitoring agency GreyNoise has noticed a number of makes an attempt to take advantage of CVE-2025-48927, seemingly by completely different menace actors.
“As of July 16, GreyNoise has noticed 11 IPs trying to take advantage of CVE-2025-48927,” reviews GreyNoise.
“Associated reconnaissance habits is ongoing. Our telemetry reveals lively scanning for Spring Boot Actuator endpoints, a possible precursor to figuring out techniques affected by CVE-2025-48927.”
In line with GreyNoise, greater than two thousand IPs have scanned for Dash Boot Actuator endpoints over the previous months, just a little over 75% of them focusing on the ‘/well being’ endpoints particularly.
The CVE-2025-48927 vulnerability is brought on by exposing the ‘/heapdump’ endpoint from Spring Boot Actuator with out authentication. TeleMessage addressed the difficulty however some on-prem installations are nonetheless weak.
When utilizing outdated Spring Boot configurations that don’t prohibit entry to diagnostic endpoints, the flaw lets an attacker obtain a full Java heap reminiscence dump of roughly 150MB, which can include plaintext usernames, passwords, tokens, and different delicate information.
To defend towards these assaults, it’s endorsed to disable or prohibit entry to the /heapdump endpoint solely to trusted IP ranges and restrict the publicity of all Actuator endpoints as a lot as doable.
Archiving Sign messages
The TeleMessage SGNL app is designed to offer encrypted communication with built-in archival, so that each one chats, calls, and attachments are routinely saved for compliance, auditing, or record-keeping.
These claims have been disputed by previous analysis saying that end-to-end encryption isn’t maintained and delicate information, together with messages, is saved in plaintext.
This was uncovered in Might 2025, when a hacker accessed a diagnostic endpoint and downloaded credentials and archived content material. The occasion triggered issues about nationwide safety within the U.S., after revelations that the product was being utilized by the Customs & Border Safety and officers, together with Mike Waltz.
CVE-2025-48927 was disclosed in Might and CISA added it to the Identified Exploited Vulnerabilities (KEV) catalog on July 1, requesting that each one federal businesses apply mitigations by July 22.
The company additionally listed CVE-2025-48928, a flaw in SGNL the place a JSP app exposes a reminiscence dump containing passwords despatched over HTTP to unauthorized customers.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
