CVE-2025-48927 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-28

Added to CISA KEV: 2025-07-01 34 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
CRITICAL: Immediately disable or secure Spring Boot Actuator endpoints, particularly /heapdump
Monitor network traffic for requests to /heapdump and other actuator endpoints
Patch to latest version immediately - this is actively exploited and on CISA KEV

Here's what is known about the CVE-2025-48927 vulnerability:

Internet-facing applications: CVE-2025-48927 affects internet-facing applications, specifically TeleMessage TM SGNL, an enterprise messaging system modeled after Signal ^[1]^[2]. The vulnerability exists due to an exposed Spring Boot Actuator ```/heapdump``` endpoint ^[1].

Active exploitation: There is evidence of active exploitation of this vulnerability in the wild ^[3]^[4]. This active exploitation led to CISA adding it to the Known Exploited Vulnerabilities (KEV) Catalog ^[3]^[4].

Attack vectors and exploitation methods: The vulnerability allows attackers to trivially extract sensitive credentials via an unauthenticated, exposed ```/heapdump``` endpoint ^[5]^[1]. It is remotely exploitable and requires no user interaction ^[1].

Targeted attacks: While it's not explicitly stated that CVE-2025-48927 has been used in "targeted attacks", the affected software, TeleMessage TM SGNL, is used by government agencies and enterprises for archiving secure communications, suggesting a potential for such attacks ^[2]^[6].

CISA Known Exploited Vulnerabilities (KEV) status: CISA has added CVE-2025-48927 to its Known Exploited Vulnerabilities Catalog ^[3]^[4].

Technical details about internet exploitability: CVE-2025-48927 is considered remotely exploitable ^[1]. The vulnerability is due to the TeleMessage service configuring Spring Boot Actuator with an exposed heap dump endpoint at a ```/heapdump``` URI ^[7]^[8]. Attackers can extract sensitive credentials via this unauthenticated endpoint ^[5]^[1].

Checking the Scope of CVE-2025-48927 - GreyNoise Labs
However, CVE-2025-48927 is remotely exploitable and requires no user interaction. It exists in TeleMessage TM SGNL, a Signal clone that archives ...
Flaw in Signal App Clone Could Leak Passwords
A vulnerability disclosed in May 2025, CVE-2025-48927 , affects certain deployments of TeleMessage TM SGNL, an enterprise messaging system modeled ...
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability.
Known Exploited Vulnerabilities Catalog | CISA
HireVue Applicant Reasonable Accommodations Process. Hiring. Resume & Application Tips. Students & Recent Graduates. Veteran and Military Spouses.CVE-2025-48927.
Checking the Scope of CVE-2025-48927 – GreyNoise Labs
Checking the Scope of CVE-2025-48927 CVE-2025-48927 found in TeleMessage TM SGNL in May, and reported by KEV in July, allows attackers to trivially extract sensitive credentials via an unauthenticated, exposed /heapdump endpoint.

🔴 CVE-2025-48927