A significant security flaw has been identified in TeleMessage’s TM SGNL, an enterprise messaging system modeled after Signal, which has been actively exploited by cybercriminals to extract sensitive user credentials and personal data. This vulnerability, designated as CVE-2025-48927, poses a substantial risk to government agencies and enterprises relying on this platform for secure communication.
Understanding the Vulnerability
The root of this security issue lies in TM SGNL’s use of outdated configurations in the Spring Boot Actuator framework. Specifically, a diagnostic endpoint known as /heapdump was left publicly accessible without requiring authentication. This endpoint can provide complete snapshots of the application’s heap memory, approximately 150MB in size, potentially containing plaintext usernames, passwords, and other sensitive information.
While newer versions of Spring Boot have addressed this concern by disabling public access to such endpoints by default, TM SGNL continued to use the vulnerable configuration until at least May 5, 2025. The severity of this issue led the Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-48927 to its Known Exploited Vulnerabilities (KEV) catalog on July 14, 2025.
Active Exploitation and Malicious Activity
Security research firm GreyNoise has observed significant malicious activity targeting this vulnerability. As of July 16, 2025, 11 IP addresses have been identified attempting to exploit CVE-2025-48927. Additionally, over the past 90 days, 2,009 IP addresses have scanned for Spring Boot Actuator endpoints, with 1,582 specifically targeting /health endpoints. This pattern suggests organized cybercriminal campaigns rather than isolated attacks.
Implications for Government Communications
The exploitation of this vulnerability has had far-reaching consequences, particularly for U.S. government communications. A hacker breached TeleMessage’s infrastructure and intercepted messages from over 60 unique U.S. government users, including officials from the Federal Emergency Management Agency (FEMA), U.S. diplomatic staff, the Secret Service, and at least one White House staffer. The leaked data included messages concerning senior officials’ travel plans and logistical coordination, raising significant counterintelligence concerns.
Technical Details of the Breach
The hacker exploited a misconfiguration in TeleMessage’s use of the Spring Boot Actuator framework. By accessing the /heapdump endpoint, the attacker was able to download heap dumps containing sensitive information such as usernames, passwords, unencrypted chat logs, and encryption keys. This breach underscores the critical importance of securing diagnostic endpoints and ensuring that sensitive data is not exposed through misconfigurations.
Response and Mitigation Measures
In response to the breach, Smarsh, the parent company of TeleMessage, suspended all TeleMessage services to investigate the security incident. CISA has urged organizations to apply vendor-supplied mitigations or discontinue the use of the product by July 22, 2025. Recommended actions include disabling or restricting access to the /heapdump endpoint, limiting exposure of all Actuator endpoints unless explicitly required, and upgrading to supported Spring Boot versions with secure defaults.
Lessons Learned and Best Practices
This incident highlights several critical lessons for organizations:
1. Regular Security Audits: Conduct thorough security audits to identify and remediate vulnerabilities, especially in third-party applications.
2. Secure Configuration Management: Ensure that all applications are configured securely, with unnecessary endpoints disabled and access controls enforced.
3. Timely Patching: Stay updated with the latest security patches and updates to prevent exploitation of known vulnerabilities.
4. Data Encryption: Implement robust encryption practices to protect sensitive data both in transit and at rest.
5. User Training: Educate users on security best practices to prevent inadvertent exposure of sensitive information.
By adhering to these best practices, organizations can enhance their security posture and mitigate the risks associated with similar vulnerabilities.
