CVE-2025-48927
published 2025-05-28CVE-2025-48927: The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in…
PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-07-22
Exploited in the wild
EPSS
7.86%
94.0th percentile
The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_zipkin | zipkin | <= 3.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP GET requests to the /heapdump URI path, which is the direct exploitation vector for CVE-2025-48927 against TeleMessage TM SGNL and similar Spring Boot Actuator deployments. ↗
- →Scanning for /health endpoints is an active precursor/reconnaissance behavior used to identify internet-exposed Spring Boot deployments before targeting /heapdump. Correlate /health probes with subsequent /heapdump requests from the same source IP. ↗
- →A successful exploit response will be a ~150MB Java heap memory dump download. Alert on unusually large HTTP responses (>100MB) originating from /heapdump or similar Actuator endpoints. ↗
- →CVE-2025-48928 is a related sibling vulnerability in TeleMessage SGNL where a JSP app exposes a memory dump over HTTP; monitor for memory dump endpoint access patterns across both CVEs simultaneously. ↗
- →Zipkin through version 3.5.1 exposes the same /heapdump endpoint via Spring Boot Actuator and is similarly vulnerable; extend detection rules to cover Zipkin deployments. ↗
- ·The vulnerability only exists when Spring Boot Actuator is configured with legacy/insecure defaults that expose the /heapdump endpoint without authentication. Newer Spring Boot versions do not expose this endpoint by default. ↗
- ·On-premises TeleMessage SGNL installations may still be vulnerable even after the vendor's cloud remediation, as the cloud fix was applied centrally and does not automatically patch self-hosted deployments. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
osv·2025-07-04·CVSS 5.3
CVE-2025-53602 [MEDIUM] Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.
GHSA
Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
ghsa·2025-07-04·CVSS 5.3
CVE-2025-53602 [MEDIUM] CWE-1188 Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint
Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.
GHSA
GHSA-vg5q-95gg-rqfg: The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the
ghsa_unreviewed·2025-05-28
CVE-2025-48927 [MEDIUM] CWE-1188 GHSA-vg5q-95gg-rqfg: The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the
The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.
VulnCheck
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
vulncheck·2025·CVSS 5.3
CVE-2025-48927 [MEDIUM] CWE-1188 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.
Affected: TeleMessage TM SGNL
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2025-48927; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.labs.greynoise.io/grimoire/2025-07-16-checking-the-scope-of-cve-2025-48927/; https://www.greynoi
VulnCheck
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
vulncheck·2025·CVSS 4.0
CVE-2025-48928 [MEDIUM] CWE-528 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump.
Affected: TeleMessage TM SGNL
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2025-48928; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.labs.greynoise.io
CISA
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
cisa·2025-07-01·CVSS 5.3
CVE-2025-48927 [MEDIUM] CWE-1188 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
Vulnerability: TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
Affected: TeleMessage TM SGNL
TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https://nvd.nist.gov/vuln/detail/CVE-2025-48927
Reme
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Hackers scanning for TeleMessage Signal clone flaw exposing passwords
blogs_bleepingcomputer·2025-07-18·CVSS 5.3
CVE-2025-48927 [MEDIUM] Hackers scanning for TeleMessage Signal clone flaw exposing passwords
## Hackers scanning for TeleMessage Signal clone flaw exposing passwords
## Bill Toulas
“As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927,” reports GreyNoise .
“Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints, a potential precursor to identifying systems affected by CVE-2025-48927.”
According to GreyNoise, more than two thousand IPs have scanned for Sprint Boot Actuator endpoints over the past months, a little over 75% of them targeting the ‘/health’ endpoints specifically.
The CVE-2025-48927 vulnerability is caused by exposing the ‘/heapdump’ endpoint from Spring Boot Actuator without authentication. TeleMessage addressed the issue but some on-prem installations are still vulnerable.
Greynoiseio
Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts
blogs_greynoiseio·2025-07-17·CVSS 5.3
[MEDIUM] Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-28
Published
2025-07-01
Added to CISA KEV
Exploited in the wild