CVE-2025-48928
published 2025-05-28CVE-2025-48928: The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password…
PriorityP276medium4CVSS 3.1
AVLACLPRNUINSUCLINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-07-22
Exploited in the wild
EPSS
0.37%
28.5th percentile
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telemessage | service | <= 2025-05-05 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor and alert on unauthenticated HTTP GET requests to the /heapdump Spring Boot Actuator endpoint, which allows downloading a ~150MB Java heap memory dump containing plaintext credentials and tokens. ↗
- →Treat scanning activity against /health and other Spring Boot Actuator endpoints as a precursor/reconnaissance indicator for CVE-2025-48928 exploitation attempts. ↗
- →Flag large HTTP responses (~150MB) originating from /heapdump or similar Actuator endpoints as a strong indicator of successful data exfiltration. ↗
- ·CVE-2025-48928 specifically affects the JSP-based TeleMessage TM SGNL application where heap content acts as a core dump exposing passwords sent over HTTP; this is distinct from but related to CVE-2025-48927 (the unauthenticated /heapdump Spring Boot Actuator endpoint). Detection logic should cover both CVEs when targeting TeleMessage/SGNL deployments. ↗
- ·Cloud-hosted TeleMessage instances were remediated in early May 2025; remaining exposure is limited to on-premises installations that have not applied vendor patches. Prioritize detection/hunting on on-prem deployments. ↗
CVSS provenance
nvdv3.14.0MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck4.0MEDIUM
cisa4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
cisa·2025-07-01·CVSS 4.0
CVE-2025-48928 [MEDIUM] CWE-528 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
Vulnerability: TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
Affected: TeleMessage TM SGNL
TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, disconti
GHSA
GHSA-54mq-99qq-7hr5: The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a p
ghsa_unreviewed·2025-05-28
CVE-2025-48928 [MEDIUM] CWE-528 GHSA-54mq-99qq-7hr5: The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a p
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
VulnCheck
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
vulncheck·2025·CVSS 4.0
CVE-2025-48928 [MEDIUM] CWE-528 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump.
Affected: TeleMessage TM SGNL
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2025-48928; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.labs.greynoise.io
No detection rules found.
No public exploits indexed.
2025-05-28
Published
2025-07-01
Added to CISA KEV
Exploited in the wild