Security researchers are tracking active exploitation of CVE-2025-48927, a serious vulnerability in the TeleMessage SGNL application that allows attackers to access usernames, passwords, and other sensitive information. TeleMessage SGNL, a messaging app based on Signal and currently owned by Smarsh, is marketed as a secure and compliance-friendly communication platform for regulated organizations. However, this vulnerability raises serious concerns about its security posture.
Exploitation and Scanning Activity
Threat intelligence firm GreyNoise has observed exploitation attempts from at least 11 IP addresses as of July 16. The firm also reported ongoing reconnaissance activity, including widespread scanning for Spring Boot Actuator endpoints. Over 2,000 IP addresses have been involved in scanning efforts, with more than 75 percent targeting the health endpoint.
The flaw occurs when the heapdump endpoint in Spring Boot Actuator is exposed without authentication. If exploited, this allows an attacker to download the entire Java heap memory, which may contain plaintext usernames, passwords, tokens, and other sensitive data. TeleMessage has addressed the issue, but some on-premise deployments remain vulnerable.
Recommended Actions
Organizations are advised to disable or limit access to the heapdump endpoint and restrict all Actuator endpoints to trusted IP ranges. Updating configurations to restrict diagnostic access is critical to minimizing exposure.
Security Concerns Around Encryption
Although the TeleMessage SGNL app claims to offer encrypted communication with automatic archiving for compliance and record-keeping, researchers have found flaws in its implementation. In May 2025, a hacker exploited a diagnostic endpoint and downloaded credentials along with archived messages, which were stored in plaintext. This led to growing concerns about the app’s use by federal agencies, including Customs and Border Protection and public figures such as Mike Waltz.
Government Response
The Cybersecurity and Infrastructure Security Agency added CVE-2025-48927 to its Known Exploited Vulnerabilities catalog on July 1. Federal agencies have been instructed to apply mitigations by July 22.CISA also listed CVE-2025-48928, a separate vulnerability affecting the SGNL app. This flaw involves a JSP application that exposes memory dumps containing passwords sent over HTTP to unauthorized use
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
