Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data.
TeleMessage SGNL is a Signal clone app now owned by Smarsh, a compliance-focused company that provides cloud-based or on-premisses communication solutions to various organizations.
Scanning for vulnerable endpoints
Threat monitoring firm GreyNoise has observed multiple attempts to exploit CVE-2025-48927, likely by different threat actors.
“As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927,” reports GreyNoise.
“Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints, a potential precursor to identifying systems affected by CVE-2025-48927.”
According to GreyNoise, more than two thousand IPs have scanned for Sprint Boot Actuator endpoints over the past months, a little over 75% of them targeting the ‘/health’ endpoints specifically.
The CVE-2025-48927 vulnerability is caused by exposing the ‘/heapdump’ endpoint from Spring Boot Actuator without authentication. TeleMessage addressed the issue but some on-prem installations are still vulnerable.
When using outdated Spring Boot configurations that do not restrict access to diagnostic endpoints, the flaw lets an attacker download a full Java heap memory dump of approximately 150MB, which may contain plaintext usernames, passwords, tokens, and other sensitive data.
To defend against these attacks, it is recommended to disable or restrict access to the /heapdump endpoint only to trusted IP ranges and limit the exposure of all Actuator endpoints as much as possible.
... continue reading