Hackers Target TeleMessage App’s CVE-2025-48927 Vulnerability, GreyNoise Reports
Hackers are actively exploiting the CVE-2025-48927 vulnerability in TeleMessage’s SGNL app, a Signal clone used by government agencies and enterprises for secure communication and compliance archiving.
According to a July 2025 report from threat intelligence firm GreyNoise, 11 IP addresses have attempted to exploit the flaw since April, with 2,009 IPs scanning for Spring Boot Actuator endpoints and 1,582 targeting /health endpoints in the past 90 days, indicating widespread reconnaissance.
The vulnerability, stemming from an unauthenticated /heapdump endpoint in legacy Spring Boot Actuator configurations, allows attackers to access sensitive data like usernames and passwords.
The issue “stems from the platform’s continued use of a legacy configuration in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication,” GreyNoise researchers stated. Howdy Fisher of GreyNoise noted: “TeleMessage has stated that the vulnerability has been patched on their end. However, patch timelines can vary depending on a variety of factors.”
TeleMessage, acquired by Smarsh in 2024, temporarily suspended services in May 2025 after a breach exposed archived data. The app’s users, including former U.S. official Mike Waltz, U.S. Customs and Border Protection, and Coinbase, face significant risks due to its use in sensitive communications.
GreyNoise recommends blocking malicious IPs, disabling or restricting the /heapdump endpoint, and limiting Actuator endpoint exposure.
The vulnerability, added to CISA’s Known Exploited Vulnerabilities catalog on July 14, 2025, underscores ongoing cybersecurity challenges, with crypto-related thefts reaching $2.17 billion in 2025, driven by attacks like the Bybit hack and physical “wrench attacks” on Bitcoin holders.