CVE-2025-48928 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-05-28

Added to CISA KEV: 2025-07-01 34 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update TeleMessage service to versions newer than 2025-05-05
Review system access logs for unauthorized local access attempts
Implement memory protection and core dump security controls
Monitor for unusual heap memory access patterns
Reset passwords that may have been transmitted over HTTP through the affected service

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-48928 is a critical security vulnerability affecting the TeleMessage service, specifically involving the exposure of sensitive information through improper handling of application memory ^[1] ^[2].

Overview and Impact

The vulnerability exists because the TeleMessage service (through May 5, 2025) is based on a JSP application where the heap content is effectively exposed as a "core dump" ^[1]?id=CVE-2025-48928?kagi_q=CVE-2025-48928. This exposure allows unauthorized parties to access sensitive data, including passwords that were previously transmitted over HTTP, as these credentials remain present in the heap dump ^[2] ^[4].

Exploitation and Threat Activity

Active Exploitation: The vulnerability was confirmed to be exploited in the wild in May 2025 ^[2] ^[4].
CISA KEV Catalog: Due to this active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48928 to its Known Exploited Vulnerabilities (KEV) Catalog on July 1, 2025 ^[3] ^[5].
Specific Campaigns: While it is listed in the KEV catalog, specific details regarding the threat actors or whether it was used in broader ransomware campaigns versus targeted espionage have not been publicly detailed in the available records.

Affected Versions and Mitigation

Affected Versions: The vulnerability affects the TeleMessage service, specifically the TM SGNL component, in versions through May 5, 2025 ^[1] ^[3].
Status: Users and organizations utilizing the affected TeleMessage software are advised to ensure they are running patched versions and to follow guidance provided by the vendor to mitigate the risk of unauthorized data exposure.

*Note: As of June 2026, organizations should verify their current software version against vendor-provided security updates to ensure they are no longer vulnerable to this issue.*

Sources

CVE-2025-48928 Detail - NVD
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a core dump.
CVE-2025-48928 - GitHub Advisory Database
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability…
CVE-2025-48928 : The TeleMessage service through 2025-05-05 is based on ...
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
🛡️ We added TeleMessage TM SGNL vulnerabilities CVE- ...
We added TeleMessage TM SGNL vulnerabilities CVE-2025-48927 & CVE-2025-48928 to our Known Exploited Vulnerabilities Catalog.