cbcvebase.
CVE-2025-48927
published 2025-05-28

CVE-2025-48927: The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in…

PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-07-22
Exploited in the wild
EPSS
7.86%
94.0th percentile
The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.

Affected

1 ranges
VendorProductVersion rangeFixed in
open_zipkinzipkin<= 3.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/heapdump
path/health
  • Monitor for unauthenticated HTTP GET requests to the /heapdump URI path, which is the direct exploitation vector for CVE-2025-48927 against TeleMessage TM SGNL and similar Spring Boot Actuator deployments.
  • Scanning for /health endpoints is an active precursor/reconnaissance behavior used to identify internet-exposed Spring Boot deployments before targeting /heapdump. Correlate /health probes with subsequent /heapdump requests from the same source IP.
  • A successful exploit response will be a ~150MB Java heap memory dump download. Alert on unusually large HTTP responses (>100MB) originating from /heapdump or similar Actuator endpoints.
  • CVE-2025-48928 is a related sibling vulnerability in TeleMessage SGNL where a JSP app exposes a memory dump over HTTP; monitor for memory dump endpoint access patterns across both CVEs simultaneously.
  • Zipkin through version 3.5.1 exposes the same /heapdump endpoint via Spring Boot Actuator and is similarly vulnerable; extend detection rules to cover Zipkin deployments.
  • ·The vulnerability only exists when Spring Boot Actuator is configured with legacy/insecure defaults that expose the /heapdump endpoint without authentication. Newer Spring Boot versions do not expose this endpoint by default.
  • ·On-premises TeleMessage SGNL installations may still be vulnerable even after the vendor's cloud remediation, as the cloud fix was applied centrally and does not automatically patch self-hosted deployments.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.