TeleMessage SGNL, a made-in-Israel clone of the Sign app utilized by US authorities companies and controlled companies, has been discovered operating with an outdated configuration that exposes delicate inside knowledge to the web, no login required.
The principle explanation for the issue is how some deployments of TeleMessage SGNL are utilizing older variations of Spring Boot, a Java-based framework. These variations go away a diagnostic endpoint referred to as /heapdump uncovered by default.
When not locked down, this endpoint returns a full reminiscence snapshot of the app, weighing in at round 150MB. These dumps can include usernames, passwords, session particulars, and different knowledge that ought to by no means be public.
In keeping with cybersecurity researchers at GrayNoise, who recognized this exploitation and shared its particulars with Hackread.com earlier in the present day, say that despite the fact that newer Spring Boot releases disable this by default, TeleMessage cases have been nonetheless operating the insecure configuration as late as Could 5, 2025.
The vulnerability, tracked as CVE-2025-48927, was added to the US Cybersecurity and Infrastructure Safety Company (CISA) Identified Exploited Vulnerabilities (KEV) catalogue on July 14, which additionally means that real-world assaults are already underway.
In keeping with GreyNoise, attackers have wasted no time. As of July 16, no less than 11 IPs have been logged making an attempt to take advantage of the flaw instantly. These aren’t random pings; they’re particular makes an attempt to retrieve the heap reminiscence from uncovered TeleMessage SGNL deployments.
The scanning doesn’t cease there. Previously 90 days, over 2,000 IPs have probed Spring Boot Actuator endpoints on the whole. Greater than 1,500 IPs focused the /well being endpoint, usually utilized by attackers to examine if an app is constructed on Spring Boot and probably misconfigured. This sort of scanning is usually an indication that extra focused exploitation may observe.
GreyNoise has created a devoted monitoring tag for this exercise. The tag identifies scanning behaviour particular to TeleMessage SGNL cases operating with the weak /heapdump endpoint uncovered.
TeleMessage SGNL and Cybersecurity Points
Safety flaws can floor in any platform, however the situation with TeleMessage is extra critical. This can be a service constructed to guard delicate communication, utilized by authorities companies and enterprise organisations, but it was left open due to outdated setup decisions.
When a platform promoting safe communication is concerned, these sorts of misconfigurations can harm extra than simply programs. However, reputational harm just isn’t new at TeleMessage. Again in Could 2025, the platform suffered a large breach after an nameless hacker broke into its programs. The attacker accessed backend infrastructure and personal person messages, forcing the corporate to take its web site offline.
Simply days later, on Could 13, the CISA added CVE-2025-47729, the vulnerability behind that breach, to its Identified Exploited Vulnerabilities (KEV) record. Then issues received worse. Distributed Denial of Secrets and techniques (DDoSecrets), a nonprofit recognized for publishing leaked datasets, archived and listed your entire stolen dataset on its web site. That archive contained 410 gigabytes of delicate knowledge taken from the breach.
CISA’s Binding Operational Directive
Underneath its Binding Operational Directive, CISA has instructed all federal companies to both apply out there patches or cease utilizing the affected software program by July 22, 2025. Whereas the directive solely applies to federal programs, it’s a robust reminder for any organisation utilizing TeleMessage SGNL to behave rapidly.
Till confirmed patches are utilized, the safer strategy is to limit entry or briefly disable the app in environments dealing with delicate communication. Nonetheless, researchers are urging organisations utilizing TeleMessage or Spring Boot for inside providers to take this significantly and:
- Overview all Actuator endpoint publicity
- Disable or prohibit entry to the
/heapdumpendpoint instantly
- Block IPs flagged by GreyNoise which are probing for this vulnerability
- Improve to a supported model of Spring Boot that makes use of safer default configurations
