CVE-2025-48928

What is TeleMessage TM SGNL?

TeleMessage is an Israeli company that markets compliance-archiving versions of popular encrypted messaging apps for regulated industries. TM SGNL is their Signal-derived application modified to route messages through a proprietary archiving backend built on Java/Spring Boot. See also CVE-2025-47729 (cleartext message storage) and CVE-2025-48927 (unauthenticated /heapdump endpoint).

Overview

TeleMessage TM SGNL contains an exposure of a core dump file to an unauthorized control sphere vulnerability (CWE-528). The backend application is a JSP/Spring Boot Java application that processes unencrypted message content as part of its archiving function. When the JVM heap dump (accessible via the unauthenticated /heapdump Actuator endpoint described in CVE-2025-48927) is captured and analyzed, it contains plaintext passwords and other credentials that had been transmitted over HTTP within the application during normal operation.

The heap dump is functionally equivalent to a process memory dump ("core dump"), containing a snapshot of all live objects in the JVM — including credential strings, database passwords, session tokens, and message content in various stages of processing.

Affected Versions

TeleMessage suspended all services following the May 2025 breach. No patched version was released.

Technical Details

The TM SGNL backend receives decrypted message content from the client app as part of the compliance archiving flow. This data — along with database credentials, API keys, and other secrets configured in the application — exists as live objects in the JVM heap.

Why passwords appear in heap dumps:

• Java strings are immutable; once created, a credential string cannot be securely zeroed in memory until garbage collected
• Credentials passed via HTTP (rather than TLS-secured channels) remain in parsed form (as String objects) on the heap
• Spring Boot and JDBC connection pools keep database passwords in memory for the lifetime of the application

What the heap dump contained:

• Database connection credentials for TeleMessage's message archive store
• Internal API credentials
• Portions of plaintext message content being processed through the archiving pipeline
• Session tokens and authentication artifacts

Relationship to CVE-2025-48927: CVE-2025-48927 describes how the /heapdump endpoint was unauthenticated and accessible. CVE-2025-48928 describes the content of that dump — specifically that passwords transmitted over HTTP were present in memory and therefore exposed.

Discovery

A security researcher exploited the /heapdump endpoint (CVE-2025-48927) during the May 2025 TeleMessage breach and analyzed the resulting heap dump, finding plaintext credentials alongside message content belonging to TM SGNL users including U.S. government personnel.

Exploitation Context

Actively exploited in the May 2025 TeleMessage breach. The combination of CVE-2025-48927 (unauthenticated heap dump access) and CVE-2025-48928 (credentials in heap) gave the attacker valid credentials for TeleMessage's backend infrastructure, enabling further data extraction. TeleMessage suspended all services immediately following public disclosure by 404 Media.

Remediation

1. Discontinue use of TeleMessage products — no patch is available.
2. For Java/Spring Boot applications: use char[] instead of String for credential storage and zero them after use; use Spring Vault or a secrets manager rather than passing credentials in HTTP request bodies; disable or restrict the /heapdump Actuator endpoint in production.
3. Rotate credentials for any system that used TeleMessage services, as backend credentials may have been exposed.
4. Review CVE-2025-47729 and CVE-2025-48927 for the full TeleMessage vulnerability chain.