Researchers have observed multiple exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data. The vulnerability is caused by exposing the '/heapdump' endpoint from Spring Boot Actuator without authentication. This flaw lets an attacker download a full Java heap memory dump, which may contain plaintext usernames, passwords, tokens, and other sensitive data. The issue was addressed by TeleMessage, but some on-premises installations remain vulnerable. The event triggered national security concerns in the U.S. after it was revealed that the product was being used by Customs & Border Protection and officials, including Mike Waltz.
TPRM report: https://scoringcyber.rankiteo.com/company/telemessage
"id": "tel713072025",
"linkid": "telemessage",
"type": "Vulnerability",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['Customs & Border Protection',
'Mike Waltz'],
'industry': 'Compliance-focused Communication '
'Solutions',
'name': 'Smarsh',
'type': 'Company'}],
'attack_vector': 'Exposed diagnostic endpoint',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['usernames',
'passwords',
'tokens',
'sensitive data']},
'date_detected': '2025-05-01',
'date_publicly_disclosed': '2025-05-01',
'description': 'Researchers have observed exploitation attempts for the '
'CVE-2025-48927 vulnerability in the TeleMessage SGNL app, '
'allowing retrieval of usernames, passwords, and other '
'sensitive data. The vulnerability is caused by exposing the '
"'/heapdump' endpoint from Spring Boot Actuator without "
'authentication.',
'impact': {'data_compromised': ['usernames',
'passwords',
'tokens',
'sensitive data'],
'systems_affected': ['TeleMessage SGNL app']},
'initial_access_broker': {'entry_point': 'Exposed diagnostic endpoint',
'reconnaissance_period': 'Ongoing'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of securing diagnostic endpoints and limiting '
'exposure of Actuator endpoints',
'motivation': 'Data Theft',
'post_incident_analysis': {'corrective_actions': 'Disable or restrict access '
'to the /heapdump endpoint',
'root_causes': "Exposing the '/heapdump' endpoint "
'without authentication'},
'recommendations': 'Disable or restrict access to the /heapdump endpoint and '
'limit exposure of all Actuator endpoints',
'references': [{'source': 'GreyNoise'}, {'source': 'Smarsh spokesperson'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA added to KEV '
'catalog'},
'response': {'containment_measures': 'Disable or restrict access to the '
'/heapdump endpoint',
'remediation_measures': 'Limit exposure of all Actuator '
'endpoints as much as possible'},
'title': 'Exploitation of CVE-2025-48927 in TeleMessage SGNL App',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-48927'}