Full Report
Background On the first of July (2025), CISA’s KEV brought a fun little vulnerability to my attention. The alert reports two newly known exploited vulnerabilities: CVE-2025-48927 and CVE-2025-48928. CVE-2025-48928 requires local exploitation, and so is not “GreyNoiseable” at this time. However, CVE-2025-48927 is remotely exploitable and requires no user interaction. It exists in TeleMessage TM SGNL, a Signal clone that archives copies of all messages passing through it. The commonly cited Wired article does a good job of covering the background and “technical” details. Still, even as a researcher, I was left in disbelief at the simplicity of this exploit. Was there a hype cycle for this? If so, I must have missed it, and many others must have as well, because after some digging, I found that many devices are still open and vulnerable to this. Vulnerability details CVE-2025-48927 is given to Telemessage Smarsh, but the underlying issue exists in Spring Boot Actuator, which exposes the /heapdump endpoint publicly without authentication by default. What does that mean? It means that a simple curl - X GET http://:/heapdump has the potential to download a ~150MB file containing plain-text usernames and passwords (and more)! The NVD NIST description states that the TeleMessage service, through 2025-05-05, continued to configure Spring Boot this way; however, the wired article mentions that this default configuration was only in the software up to version 1.5 from 2017. The simplest mitigation to this vulnerability is to block access to all Spring Boot endpoints other than /health and /info. As of 2025-07-22, users of TeleMessage SGNL should already be updated and secure. Scale As of 2025-07-14 I was able to aggregate 334 IPs between Shodan and Censys that were currently running Spring Boot Actuator. Of those, 217 were found to have the /info endpoint open, which does not bode well for whether or not they have /heapdump accessible. Within the past 90 days, we’ve seen 2,006 IPs scanning for Spring Boot actuator endpoints in general, 1,580 scanning for Spring Boot /health checks (as indications of poor configuration), and are now tracking checks for /heapdump. TL;DR CVE-2025-48927 is a critical vulnerability affecting TeleMessage TM SGNL, a Signal clone that archives all messages passing through it. The vulnerability is rooted in the Spring Boot Actuator framework, which exposes the /heapdump endpoint publicly and without authentication by default. Exploiting this flaw is trivial: an attacker can simply send a GET request to /heapdump and download a large file (~150MB) containing sensitive, plain-text data such as usernames and passwords. The issue persisted in TeleMessage services up to May 5, 2025, but some sources claim the vulnerable default configuration was only present in software versions up to 1.5 from 2017. The simplest mitigation is to block access to all Spring Boot endpoints except /health and /info. As of July 14, 2025: 334 IPs were identified as running Spring Boot Actuator [1][2]. 217 had the /info endpoint open, suggesting possible exposure of /heapdump In the past 90 days, 2,006 IP addresses were observed scanning for Spring Boot Actuator endpoints, with 1,580 targeting /health, and active monitoring continues for /heapdump scans. The vulnerability is deemed severe because of how easily it can be exploited and the sensitive data it exposes. h0wdy’s socials: mastodon, bluesky References https://nvd.nist.gov/vuln/detail/CVE-2025-48927#match-16819522 https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/ https://www.wiz.io/blog/spring-boot-actuator-misconfigurations https://docs.spring.io/spring-boot/api/rest/actuator/heapdump.html https://viz.greynoise.io/tags/telemessage-tm-sgnl-spring-boot-actuator–heapdump-disclosure-cve-2025-48927-attempt?days=90
Analysis Summary
# Vulnerability: TeleMessage TM SGNL / Spring Boot Actuator Heapdump Disclosure
## CVE Details
- CVE ID: CVE-2025-48927
- CVSS Score: N/A (Severity implied as Critical due to data exposure)
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- Products: TeleMessage TM SGNL (a Signal clone)
- Versions: TeleMessage services configured similar to default Spring Boot up to 2025-05-05. The underlying default configuration issue is cited in Spring Boot software up to version 1.5 (from 2017).
- Configurations: Public exposure of the Spring Boot Actuator `/heapdump` endpoint without authentication.
## Vulnerability Description
CVE-2025-48927 stems from the default configuration of the Spring Boot Actuator component within the TeleMessage service. This configuration publicly exposes the `/heapdump` endpoint without requiring any authentication. Exploitation allows an attacker to download a heap dump file (approximately 150MB) which contains sensitive data in plain text, including usernames and passwords. This vulnerability affects data processed and archived by the TeleMessage TM SGNL application.
## Exploitation
- Status: Exploited in the wild (Reported on CISA KEV as newly known exploited)
- Complexity: Low (Trivial exploitation)
- Attack Vector: Network (Remote exploitation requiring no user interaction)
## Impact
- Confidentiality: High (Leads to dump of plain-text credentials and other sensitive data)
- Integrity: Potential (Depends on credentials exposed)
- Availability: Low (No operational impact reported)
## Remediation
### Patches
- Users of TeleMessage SGNL should be updated and secure as of 2025-07-22. (Specific patch version not provided in the text.)
### Workarounds
- Block all access to Spring Boot Actuator endpoints (e.g., `/heapdump`, `/info`, `/actuator`) via network controls, allowing only access to `/health` and `/info` if strictly necessary for operational monitoring.
## Detection
- Indicators of Compromise: Network observations of `GET /heapdump` requests targeting the application server.
- Detection methods and tools: Scanning for Spring Boot Actuator endpoints. As of 2025-07-14, 334 such IPs were identified via Shodan/Censys. Monitoring for incoming traffic targeting `/heapdump` is advised.
## References
- Vendor Advisories: Not explicitly listed, but updates were expected by 2025-07-22.
- Relevant links - defanged:
- nvd dot nist dot gov/vuln/detail/CVE-2025-48927#match-16819522
- wired dot com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/
- viz dot greynoise dot io/tags/telemessage-tm-sgnl-spring-boot-actuator--heapdump-disclosure-cve-2025-48927-attempt?days=90