Back to KEVs

CVE-2025-48927

The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in...

Basic Information

CVE State: PUBLISHED
Reserved Date: May 28, 2025
Published Date: May 28, 2025
Last Updated: July 30, 2025
Vendor: TeleMessage
Product: service
Description: The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.
Tags

CVSS Scores

CVSS v3.1

5.3 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score

Score: 0.04% (Percentile: 9.11%) as of 2025-06-26

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2025-05-28 17:40:38 UTC) Source

References

https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-05-28 17:40:31 UTC

Recent Mentions

Hackers scanning for TeleMessage Signal clone flaw exposing passwords

Source: BleepingComputer • Published: 2025-07-18 15:06:05 UTC

Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data. [...]

Flaw in Signal Clone TeleMessage Exploited En Masse for Password Theft

Source: CyberInsider • Published: 2025-07-18 07:13:30 UTC

A vulnerability in TeleMessageTM SGNL, a secure messaging platform modeled after Signal and widely used by government agencies and regulated enterprises, is now under active exploitation. GreyNoise confirms that attackers are probing for and exploiting CVE-2025-48927, a flaw that could allow unauthenticated access to memory dumps containing plaintext credentials. The vulnerability, first disclosed in May … The post Flaw in Signal Clone TeleMessage Exploited En Masse for Password Theft appeared first on CyberInsider.

Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts

Source: GreyNoise • Published: 2025-07-17 00:00:00 UTC

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data.

[io.zipkin:zipkin-server] Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint

Source: Github Advisory Database (Maven) • Published: 2025-07-04 21:30:32 UTC

Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. References https://nvd.nist.gov/vuln/detail/CVE-2025-53602 https://github.com/openzipkin/zipkin/pull/3804 https://github.com/openzipkin/zipkin/commit/3c7605dfdfab2dd341cf0ea121a56cefcd580d9e https://zipkin.io https://github.com/advisories/GHSA-794x-8x6x-qpfc

Timeline

CVE ID Reserved

May 28, 2025
CVE Published to Public

May 28, 2025
Added to KEVIntel

May 28, 2025