Signal App Clone Vulnerability Actively Exploited for Password Theft

A critical vulnerability in TeleMessageTM SGNL, an enterprise messaging platform modeled after Signal, is being actively exploited by threat actors to steal passwords and sensitive data from government agencies and enterprises.

The flaw, tracked as CVE-2025-48927, was added to CISA’s Known Exploited Vulnerabilities catalog on July 14th, indicating widespread exploitation in the wild.

Vulnerability Details

CVE-2025-48927 affects certain deployments of TeleMessageTM SGNL, a secure communications archiving system used by government agencies and enterprises to maintain records of encrypted messaging.

The vulnerability stems from the platform’s continued use of legacy configurations in Spring Boot Actuator, where a diagnostic /heapdump endpoint remains publicly accessible without authentication.

When exploited, this endpoint can return a complete snapshot of heap memory—approximately 150MB—containing plaintext usernames, passwords, and other highly sensitive information.

While newer versions of Spring Boot have addressed this issue by securing such endpoints by default, public reporting indicates that TeleMessage instances continued using the vulnerable configuration through at least May 5, 2025.

Security researchers at GreyNoise have documented an ongoing exploitation campaign targeting this vulnerability.

As of July 16, the firm has observed 11 IP addresses actively attempting to exploit CVE-2025-48927, with related reconnaissance activity continuing to expand.

The threat actors are conducting systematic scanning operations to identify vulnerable systems.

GreyNoise telemetry reveals that 2,009 IP addresses have scanned for Spring Boot Actuator endpoints over the past 90 days, with 1,582 specifically targeting /health endpoints commonly used to detect internet-exposed Spring Boot deployments.

Organizations using Spring Boot applications, particularly those implementing secure messaging or internal communication tools, should immediately verify whether /heapdump endpoints are exposed to the internet.

Security teams should disable or restrict access to the /heapdump endpoint, limit exposure of all Actuator endpoints unless explicitly required, and review deployment configurations to upgrade to supported Spring Boot versions with secure defaults.

GreyNoise has created dedicated tags to track scanning activity related to this vulnerability and continues monitoring for shifts in exploitation patterns.

The security firm is also developing enhanced dynamic IP blocklists to help organizations respond more rapidly to emerging threats targeting this and similar vulnerabilities.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now