A critical vulnerability affecting TeleMessage SGNL, a secure enterprise messaging and compliance platform modeled after Signal, is currently being exploited by malicious actors. The flaw—tracked as CVE-2025-48927—allows unauthenticated attackers to access sensitive memory dumps containing highly confidential user data.
Vulnerability Overview
The vulnerability stems from an insecure configuration in the Spring Boot framework used by TeleMessage SGNL. Specifically, the /heapdump endpoint, intended for diagnostics, was publicly exposed without authentication. This endpoint can generate and transmit a full memory dump of the application, often including plaintext credentials, session tokens, encryption keys, and other sensitive data.
Although modern versions of Spring Boot disable these endpoints by default, TeleMessage SGNL deployments continued to use legacy configurations that left this critical interface exposed to the public internet.
Active Exploitation Confirmed
Since the public disclosure of the vulnerability in May 2025, security researchers have observed an escalating pattern of exploitation:
- Security logs confirm that more than 2,000 IP addresses have scanned for vulnerable Spring Boot actuator endpoints.
- At least 11 IP addresses have been documented actively downloading heap dump data from unprotected SGNL endpoints.
- Threat actors are extracting sensitive memory contents to gain access to user communications, credentials, and encryption mechanisms.
Impact and Exposure
TeleMessage SGNL has been widely adopted by U.S. government agencies, financial institutions, legal firms, and enterprises requiring compliant archiving of encrypted communications. Among the affected are:
- Over 60 U.S. government agencies, including FEMA, U.S. Customs and Border Protection, the Secret Service, and officials linked to the Executive Office of the President.
- Multiple financial services firms integrating SGNL into their compliance workflows.
Because TeleMessage SGNL modifies the original Signal protocol to support organizational compliance, including centralized archiving and identity verification, the system operates without full end-to-end encryption. This design choice further amplifies the damage once attackers gain access to server memory or archived communications.
Government Warning and Mitigation Steps
On July 14, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48927 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch or disconnect vulnerable systems no later than July 22, 2025.
CISA and cyber defense experts recommend the following actions for affected organizations:
- Immediately disable or restrict access to all actuator endpoints, especially
/heapdump,/env, and/health. - Patch all SGNL instances to the latest Spring Boot configuration that disables unsecured diagnostic access by default.
- Conduct forensic analysis to determine whether heap dumps have been accessed or exfiltrated.
- Rotate credentials and keys that may have been stored in memory at the time of exploitation.
