CVE-2025-48927 – The TeleMessage service exposes a Spring Boot A... (How to Fix)

Q: What is the severity of CVE-2025-48927?

CVE-2025-48927 has a CVSS score of 5.3 (MEDIUM). The TeleMessage service exposes a Spring Boot Actuator heap dump endpoint at /heapdump, allowing attackers to retrieve memory contents. This vulnerability affects all TeleMessage deployments using vulnerable configurations. Attackers can exploit this to extract sensitive information like credentials and session tokens from memory.

📋 TL;DR

The TeleMessage service exposes a Spring Boot Actuator heap dump endpoint at /heapdump, allowing attackers to retrieve memory contents. This vulnerability affects all TeleMessage deployments using vulnerable configurations. Attackers can exploit this to extract sensitive information like credentials and session tokens from memory.

💻 Affected Systems

Products:

TeleMessage service

Versions: All versions through 2025-05-05

Operating Systems: Any OS running TeleMessage

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when Spring Boot Actuator endpoints are exposed without proper security controls.

📦 What is this software?

Telemessage by Smarsh

View all CVEs affecting Telemessage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive data including authentication credentials, encryption keys, and user messages stored in memory, potentially leading to account takeover and data breaches.

🟠

Likely Case

Extraction of sensitive information from memory leading to credential theft, session hijacking, and unauthorized access to user data.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild since May 2025. Simple HTTP GET request to /heapdump endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2025-05-05

Vendor Advisory: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48927

Restart Required: Yes

Instructions:

1. Update TeleMessage to version after 2025-05-05. 2. Restart the service. 3. Verify heap dump endpoint is no longer publicly accessible.

🔧 Temporary Workarounds

Disable heap dump endpoint

all

Configure Spring Boot to disable or secure the heap dump actuator endpoint

management.endpoint.heapdump.enabled=false

Restrict endpoint access

all

Configure network firewall or application security to restrict access to /heapdump endpoint

🧯 If You Can't Patch

Implement strict network segmentation to isolate TeleMessage service from untrusted networks
Deploy web application firewall (WAF) with rules to block requests to /heapdump endpoint

🔍 How to Verify

Check if Vulnerable:

Test if HTTP GET request to /heapdump endpoint returns heap dump file. Use: curl -v http://<host>:<port>/heapdump

Check Version:

Check TeleMessage version in application logs or configuration files

Verify Fix Applied:

Verify /heapdump endpoint returns 404 or access denied. Use: curl -v http://<host>:<port>/heapdump

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /heapdump endpoint
Large file downloads from actuator endpoints
Unusual memory access patterns

Network Indicators:

HTTP requests to /heapdump path
Large outbound transfers from TeleMessage service

SIEM Query:

source="telemessage" AND (url_path="/heapdump" OR user_agent="*curl*" OR bytes_out>1000000)

📊 Metadata

CVE ID: CVE-2025-48927

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-1188

EPSS Score: 5.39% exploit probability (89.9th percentile)

CISA KEV: Actively Exploited added Jul 1, 2025

Published: May 28, 2025

Last Updated: November 5, 2025

🔗 References

https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/ Press/Media Coverage
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48927 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48927, you might also want to check these: