Background
On the first of July (2025), CISA’s KEV brought a fun little vulnerability to my attention. The alert reports two newly known exploited vulnerabilities: CVE-2025-48927 and CVE-2025-48928. CVE-2025-48928 requires local exploitation, and so is not “GreyNoiseable” at this time. However, CVE-2025-48927 is remotely exploitable and requires no user interaction. It exists in TeleMessage TM SGNL, a Signal clone that archives copies of all messages passing through it. The commonly cited Wired article does a good job of covering the background and “technical” details. Still, even as a researcher, I was left in disbelief at the simplicity of this exploit. Was there a hype cycle for this? If so, I must have missed it, and many others must have as well, because after some digging, I found that many devices are still open and vulnerable to this.
Vulnerability details
CVE-2025-48927 is given to Telemessage Smarsh, but the underlying issue exists in Spring Boot Actuator, which exposes the /heapdump endpoint publicly without authentication by default. What does that mean? It means that a simple curl - X GET http://<ip>:<port>/heapdump has the potential to download a ~150MB file containing plain-text usernames and passwords (and more)! The NVD NIST description states that the TeleMessage service, through 2025-05-05, continued to configure Spring Boot this way; however, the wired article mentions that this default configuration was only in the software up to version 1.5 from 2017.
The simplest mitigation to this vulnerability is to block access to all Spring Boot endpoints other than /health and /info.
Scale
As of 2025-07-14 I was able to aggregate 334 IPs between Shodan and Censys that were currently running Spring Boot Actuator. Of those, 217 were found to have the /info endpoint open, which does not bode well for whether or not they have /heapdump accessible.
Within the past 90 days, we’ve seen 2,006 IPs scanning for Spring Boot actuator endpoints in general, 1,580 scanning for Spring Boot /health checks (as indications of poor configuration), and are now tracking checks for /heapdump.
TL;DR
- CVE-2025-48927 is a critical vulnerability affecting TeleMessage TM SGNL, a Signal clone that archives all messages passing through it.
- The vulnerability is rooted in the Spring Boot Actuator framework, which exposes the
/heapdumpendpoint publicly and without authentication by default.
- Exploiting this flaw is trivial: an attacker can simply send a GET request to
/heapdumpand download a large file (~150MB) containing sensitive, plain-text data such as usernames and passwords.
- The issue persisted in TeleMessage services up to May 5, 2025, but some sources claim the vulnerable default configuration was only present in software versions up to 1.5 from 2017.
- The simplest mitigation is to block access to all Spring Boot endpoints except
/healthand/info.
- As of July 14, 2025:
- 334 IPs were identified as running Spring Boot Actuator [1][2].
- 217 had the
/infoendpoint open, suggesting possible exposure of/heapdump
- In the past 90 days, 2,006 IP addresses were observed scanning for Spring Boot Actuator endpoints, with 1,580 targeting
/health, and active monitoring continues for/heapdumpscans. The vulnerability is deemed severe because of how easily it can be exploited and the sensitive data it exposes.
- 334 IPs were identified as running Spring Boot Actuator [1][2].
References
https://nvd.nist.gov/vuln/detail/CVE-2025-48927#match-16819522
https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/
https://www.wiz.io/blog/spring-boot-actuator-misconfigurations
https://docs.spring.io/spring-boot/api/rest/actuator/heapdump.html