Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords

• Flaw impact: A TeleMessage communication tool vulnerability permits unauthenticated endpoint access, exposing sensitive user details.
• Critical risks: This flaw critically impacts government and enterprise users who heavily rely on this platform for secure messaging.
• Why it matters: TeleMessage is a modified version of the encrypted messaging platform Signal designed for government use.

A recently disclosed vulnerability, CVE-2025-48927, affects TeleMessageTM SGNL, a Signal-based messaging app clone. It exposes sensitive user data like passwords and usernames by leaving the /heapdump endpoint accessible without authentication. 

The Vulnerability Explained  

CVE-2025-48927 stems from an outdated configuration in Spring Boot Actuator, where a diagnostic endpoint inadvertently allows access to heap memory dumps. These dumps—often exceeding 150 MB—may contain plaintext usernames, passwords, and other critical credentials. 

Despite new versions of Spring Boot disabling this risky endpoint by default, TeleMessage implementations retained the vulnerable setting until at least May 2025.  

The exposure of the /heapdump endpoint in TeleMessage™ SGNL reflects a broader trend in cloud service vulnerabilities, such as the RCE flaw in Oracle Cloud Shell recently disclosed by Tenable, where unprotected internal interfaces left critical data accessible without authentication.

Exploitation Attempts  

Cyber threat detection platform GreyNoise identified 11 active IPs attempting direct exploitation of CVE-2025-48927, with significant reconnaissance activity recorded, as reported by GreyNoise recently. 

Over 2,000 IPs have been scanned for Spring Boot Actuator endpoints in the past three months, indicating widespread efforts to locate and exploit vulnerable systems, while almost 1,600 IPs specifically targeted the /health endpoints, which usually detect internet-exposed Spring Boot deployments.

Notably, malicious actors are using these scans strategically to identify unprotected environments hosting TeleMessageTM SGNL.  

Mitigation Strategies  

To neutralize this growing threat, organizations using vulnerable versions of TeleMessage or Spring Boot must take immediate action.  

• Restrict access: Disable the /heapdump endpoint or restrict it to trusted, internal networks.  
• Upgrade configurations: Ensure you are running a supported, secure version of Spring Boot, which eliminates the exposure of diagnostic endpoints by default.  
• Monitor for threats: Utilize real-time IP trackers to block potential exploit attempts.  
• Review deployments: Conduct an internal audit to ensure additional Actuator endpoints, such as /health, are not externally exposed.  

Tenable’s disclosure of a remote code execution flaw in Oracle’s Cloud Shell shares an architectural weakness with the SGNL heapdump exposure; both stem from diagnostic interfaces intended for internal use, but left publicly reachable.

In May, a hacker breached TeleMessage, reportedly used by former National Security Adviser Mike Waltz, as well as altered versions of WhatsApp, Telegram, and WeChat. 

DarkCrystal RAT targeted Ukrainian Defense employees through Signal in March, and hackers impersonating Marco Rubio with AI via Signal targeted foreign and US politicians.