The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert concerning two significant vulnerabilities in the TeleMessage TM SGNL application, identified as CVE-2025-48927 and CVE-2025-48928. These security flaws are currently being actively exploited by malicious actors, posing substantial risks to organizations utilizing this communication platform.
Overview of the Vulnerabilities
CVE-2025-48927: Insecure Default Configuration in Spring Boot Actuator
This vulnerability arises from the improper configuration of the Spring Boot Actuator component within TeleMessage TM SGNL. Specifically, the application exposes a sensitive heap dump endpoint accessible via the `/heapdump` URI path. This misconfiguration allows unauthorized individuals to retrieve memory dumps containing sensitive information, such as authentication credentials and session tokens, thereby compromising the confidentiality and integrity of the system.
CVE-2025-48928: Exposure of Core Dump Files in JSP Application
The second vulnerability pertains to the application’s JavaServer Pages (JSP) architecture, where heap content is exposed in a manner akin to core dumps. This flaw can lead to the inadvertent disclosure of passwords and other sensitive authentication data previously transmitted over HTTP connections, significantly increasing the risk of unauthorized access and data breaches.
Implications and Risks
The exploitation of these vulnerabilities can have severe consequences, including unauthorized access to sensitive data, potential privilege escalation, and the facilitation of further attacks such as ransomware deployment. Organizations relying on TeleMessage TM SGNL for secure communications are particularly at risk, as these flaws undermine the application’s integrity and the confidentiality of the information transmitted through it.
CISA’s Recommendations and Deadlines
In response to the active exploitation of these vulnerabilities, CISA has added both CVE-2025-48927 and CVE-2025-48928 to its Known Exploited Vulnerabilities (KEV) catalog as of July 1, 2025. Federal agencies are mandated to implement necessary mitigations or discontinue the use of the affected product by July 22, 2025, in accordance with Binding Operational Directive (BOD) 22-01. While this directive specifically targets federal agencies, CISA strongly advises all organizations utilizing TeleMessage TM SGNL to apply vendor-provided patches immediately. In cases where mitigations are unavailable or insufficient, discontinuing the use of the product is recommended to prevent potential compromises.
Background and Context
TeleMessage TM SGNL is a messaging application designed to archive communications from platforms like WhatsApp, Telegram, and Signal. The application gained attention when former National Security Advisor Mike Waltz was observed using it, leading to the discovery that numerous government officials were also utilizing the platform. Subsequent investigations revealed that the application lacked proper encryption, allowing attackers to access chat logs and other sensitive information.
The vulnerabilities in question were exploited in May 2025, with attackers demonstrating how the use of outdated technologies and exposed endpoints enabled them to obtain snapshots of the server’s memory, exposing user credentials and other sensitive data. The entire process reportedly took approximately 20 minutes, highlighting the critical nature of these security flaws.
Technical Details
CVE-2025-48927:
– Description: Initialization of a resource with an insecure default configuration in the Spring Boot Actuator component, leading to exposure of sensitive heap dump endpoints.
– Affected Product: TeleMessage TM SGNL
– CVSS Score: 5.3 (Medium)
CVE-2025-48928:
– Description: Exposure of core dump files to an unauthorized control sphere in the JSP application, resulting in potential disclosure of sensitive authentication data.
– Affected Product: TeleMessage TM SGNL
– CVSS Score: 4.0 (Medium)
Mitigation Steps
Organizations are urged to take the following actions to address these vulnerabilities:
1. Apply Vendor Patches: Implement the latest security updates provided by TeleMessage to remediate the identified vulnerabilities.
2. Review Configuration Settings: Ensure that the Spring Boot Actuator component is securely configured, and that sensitive endpoints are not exposed to unauthorized access.
3. Monitor for Unauthorized Access: Regularly review access logs and monitor for any signs of unauthorized access or unusual activity within the system.
4. Discontinue Use if Necessary: If adequate mitigations are unavailable or cannot be applied promptly, consider discontinuing the use of TeleMessage TM SGNL to prevent potential security breaches.
Conclusion
The active exploitation of vulnerabilities CVE-2025-48927 and CVE-2025-48928 in TeleMessage TM SGNL underscores the critical importance of maintaining secure configurations and promptly applying security patches. Organizations must remain vigilant and proactive in addressing such vulnerabilities to safeguard sensitive information and maintain the integrity of their communication platforms.
