Signal App Clone TeleMessage Vulnerability May Leak Passwords; Hackers Exploiting It
A critical security vulnerability in TeleMessageTM SGNL, an enterprise messaging system modeled after Signal, has been actively exploited by cybercriminals seeking to extract sensitive user credentials and personal data.
The flaw, designated CVE-2025-48927, affects government agencies and enterprises using this secure communication platform for archiving confidential messages.
Key Takeaways
1. CVE-2025-48927 in Signal clone TeleMessageTM SGNL exposes passwords.
2. 11 IPs exploiting the vulnerability, 2,000+ scanning for vulnerable systems in 90 days.
3. Disable /heapdump endpoint, block malicious IPs, upgrade Spring Boot immediately.
Overview of Spring Boot Actuator Flaw
The vulnerability stems from TeleMessageTM SGNL’s continued use of legacy Spring Boot Actuator configurations, where a diagnostic /heapdump endpoint remains publicly accessible without authentication.
This endpoint can return complete snapshots of heap memory, approximately 150MB in size, potentially containing plaintext usernames, passwords, and other sensitive data.
While newer versions of Spring Boot have addressed this security concern by disabling public access to such endpoints by default, TeleMessage instances continued using the vulnerable configuration through at least May 5, 2025.
The severity of this issue prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-48927 to its Known Exploited Vulnerabilities (KEV) catalog on July 14th.
Active Exploitation of CVE-2025-48927
GreyNoise Research has identified significant malicious activity targeting this vulnerability. As of July 16, 11 IP addresses have been observed attempting to exploit CVE-2025-48927.
The security firm created a dedicated tracking tag on July 10 to monitor these exploitation attempts.
More concerning is the broader reconnaissance activity preceding these attacks. GreyNoise telemetry reveals that 2,009 IP addresses have scanned for Spring Boot Actuator endpoints within the past 90 days.
Of these, 1,582 IPs specifically targeted /health endpoints, commonly used by attackers to identify internet-exposed Spring Boot deployments vulnerable to exploitation.
The research team has launched a dedicated tag to track scanning activities: “TeleMessageTM SGNL Spring Boot Actuator /heapdump Disclosure”.
This systematic approach to identifying vulnerable systems suggests organized cybercriminal campaigns rather than opportunistic attacks.
| Risk Factors | Details |
| Affected Products | TeleMessageTM SGNL (Signal clone enterprise messaging system) |
| Impact | Exposure of plaintext usernames, passwords, and sensitive data through heap memory dumps (~150MB snapshots) |
| Exploit Prerequisites | Publicly accessible /heapdump endpoint without authentication in legacy Spring Boot Actuator configurations |
| CVSS 3.1 Score | 5.3 (Medium) |
Organizations utilizing Spring Boot frameworks, particularly those operating secure messaging environments, must immediately verify whether their /heapdump endpoints are exposed to the internet.
GreyNoise recommends blocking malicious IPs using their threat intelligence feeds, specifically targeting SPRING BOOT ACTUATOR CRAWLER and SPRING BOOT ACTUATOR HEALTH SCANNER activities.
Critical remediation steps include disabling or restricting access to the /heapdump endpoint, limiting exposure of all Actuator endpoints unless explicitly required, and upgrading to supported Spring Boot versions with secure defaults.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
