Security researchers are tracking active exploitation attempts targeting a severe vulnerability (CVE-2025-48927) in TeleMessage's SGNL application, a Signal clone marketed for compliant communication archiving. Telemetry from GreyNoise indicates at least 11 distinct IPs attempting to exploit the flaw, alongside widespread reconnaissance scanning targeting Spring Boot Actuator endpoints – a precursor to identifying vulnerable SGNL instances. Over 2,000 IPs have scanned for these endpoints in recent months, with a significant focus on /health paths.

The Heapdump Hazard

The core vulnerability stems from the exposure of Spring Boot Actuator's /heapdump endpoint without authentication. TeleMessage, now owned by compliance specialist Smarsh, addressed the flaw, but numerous on-premises installations remain unpatched or misconfigured. An attacker exploiting CVE-2025-48927 can download a full Java heap memory dump (typically ~150MB). Critically, these dumps often contain plaintext usernames, passwords, API tokens, and other highly sensitive information scraped from the application's memory during operation.

"GreyNoise telemetry shows active scanning for Spring Boot Actuator endpoints, a potential precursor to identifying systems affected by CVE-2025-48927" - GreyNoise Report

Compliance Tool or Compliance Risk?

TeleMessage SGNL is designed for organizations requiring encrypted communication with automatic archiving for compliance (e.g., finance, government). However, its security claims have been contentious. Past research disputed its end-to-end encryption implementation, suggesting sensitive data, including messages, was stored in plaintext. This vulnerability reinforces those concerns. The flaw's significance was amplified in May 2025 when a hacker accessed a diagnostic endpoint, exfiltrating credentials and archived content, triggering national security concerns due to SGNL's use by U.S. Customs & Border Protection (CBP) and officials like Rep. Mike Waltz.

Mitigation Imperative

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48927 (and the related CVE-2025-48928) to its Known Exploited Vulnerabilities (KEV) catalog on July 1st, mandating all federal agencies to apply mitigations by July 22nd. Key defensive actions include:

  1. Immediately disable or restrict access to the /heapdump endpoint.
  2. Enforce strict authentication for all Spring Boot Actuator endpoints.
  3. Restrict Actuator endpoint access to trusted IP ranges only.
  4. Apply vendor patches immediately for on-premises SGNL deployments.
  5. Audit configurations to minimize unnecessary endpoint exposure.

The active scanning and exploitation attempts underscore the urgency. This vulnerability transforms a tool built for regulatory compliance into a significant liability, exposing foundational security failures in how sensitive diagnostic interfaces are secured within critical applications. The targeting of federal systems elevates the stakes, demanding swift and decisive action from all organizations running vulnerable SGNL instances, particularly before CISA's deadline passes.

Source: BleepingComputer - Hackers scanning for TeleMessage Signal clone flaw exposing passwords