CVE-2025-48927

What is TeleMessage TM SGNL?

TeleMessage is an Israeli company that markets compliance-archiving versions of popular encrypted messaging apps for regulated industries. TM SGNL is their Signal-derived application modified to route messages through a proprietary archiving backend. The server-side component is a Java application built on the Spring Boot framework. See also CVE-2025-47729 (cleartext message storage) and CVE-2025-48928 (heap dump credential exposure).

Overview

TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability (CWE-1188). The backend server runs Spring Boot with the Actuator management library enabled, and the /heapdump actuator endpoint was left exposed without authentication. This allowed any unauthenticated remote attacker with network access to the server to download a complete Java Virtual Machine (JVM) heap dump — a binary snapshot of the running process's memory.

The /heapdump endpoint is a standard Spring Boot Actuator feature intended for diagnostic use in development. Leaving it accessible in production without authentication is a misconfiguration that directly enabled the May 2025 TeleMessage breach.

Affected Versions

TeleMessage suspended all services following the May 2025 breach disclosure. No patched version was released.

Technical Details

Spring Boot Actuator is a module that adds production-ready operational features to Spring Boot applications, including health checks, metrics, and diagnostic endpoints. By default in some Spring Boot configurations, these endpoints are exposed without access controls.

The /heapdump endpoint, when enabled and exposed:

1. Triggers a GC-safe heap dump of the running JVM process
2. Streams the dump (an HPROF-format binary file) to the requester over HTTP
3. Requires no authentication in TeleMessage's misconfigured deployment

The heap dump captured a snapshot of all objects in memory at the time of the request — including:

• Decrypted message content being processed for archiving (see CVE-2025-47729)
• Authentication credentials and session tokens
• Database connection strings and passwords (see CVE-2025-48928)

Because the TM SGNL backend processes plaintext message content as part of its archiving function, the heap dump contained message data that users assumed was protected by Signal's end-to-end encryption.

Attack characteristics:

• Single HTTP GET request to the /heapdump endpoint
• No authentication, no credentials required
• Response is a complete HPROF binary file containing JVM heap contents
• Analysis with any HPROF-compatible tool (Eclipse MAT, jhat, VisualVM) reveals plaintext strings

Discovery

A security researcher discovered and exploited the exposed endpoint during the May 2025 TeleMessage breach. According to 404 Media reporting, the entire compromise — from initial access to data extraction — took approximately 20 minutes.

Exploitation Context

The vulnerability was actively exploited in the May 2025 TeleMessage breach. The attacker used the unauthenticated /heapdump endpoint to extract memory contents from the production server. The heap dump revealed:

• Plaintext message content from TM SGNL users
• Credentials for TeleMessage's backend infrastructure
• Metadata identifying government agency users

The incident affected U.S. government officials, law enforcement, and financial sector users of TM SGNL. TeleMessage suspended all services immediately following public reporting.

Remediation

1. Discontinue use of TeleMessage products — no patch is available; services were suspended.
2. For other Spring Boot applications: restrict Actuator endpoints using Spring Security or a reverse proxy. Set management.endpoints.web.exposure.include to only necessary endpoints and never expose /heapdump on production internet-facing systems.
3. Audit Spring Boot Actuator configurations in any Java-based application deployed publicly.
4. Review CVE-2025-47729 and CVE-2025-48928 for the full TeleMessage vulnerability chain.