Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessage^TM SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to archive secure communications. The issue stems from the platform’s continued use of a legacy confirmation in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication. 

If exposed, this endpoint can return a full snapshot of heap memory — roughly 150MB — which may include plaintext usernames, passwords, and other sensitive data. While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025. 

On July 14th, CVE-2025-48927 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

See GreyNoise’s technical writeup here. 

‍

What GreyNoise is Seeing 

As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927 (tag created July 10). 

Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints — a potential precursor to identifying systems affected by CVE-2025-48927. 

• 2,009 IPs have scanned for Spring Boot Actuator endpoints in the past 90 days. 
• 1,582 IPs specifically targeted the /health endpoints — commonly used to detect internet-exposed Spring Boot deployments. 
• GreyNoise has launched a dedicated tag to track scanning tied to this CVE: TeleMessage^TM SGNL Spring Boot Actuator /heapdump Disclosure. 

‍

What to Do

Organizations using Spring Boot — particularly in internal tools or secure messaging environments — should verify whether the /heapdump endpoint is exposed to the internet. 

Recommended actions:

• Block malicious IPs using GreyNoise:
  
  • SPRING BOOT ACTUATOR CRAWLER
  • SPRING BOOT ACTUATOR HEALTH SCANNER
  • TELEMESSAGE TM SGNL SPRING BOOT ACTUATOR /HEAPDUMP DISCLOSURE CVE-2025-48927 ATTEMPT

• Disable or restrict access to the /heapdump endpoint.
• Limit exposure of all Actuator endpoints unless explicitly required. 
• Review deployment configurations and upgrade to a supported version of Spring Boot where secure defaults are enforced. 

‍

GreyNoise will continue monitoring for shifts in scanning behavior and provide updates if exploitation begins. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{This analysis was led by GreyNoise Researcher Howdy Fisher.} 

‍