Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessage™ SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to archive secure communications. The issue stems from the platform’s continued use of a legacy confirmation in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication.

If exposed, this endpoint can return a full snapshot of heap memory — roughly 150MB — which may include plaintext usernames, passwords, and other sensitive data. While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025.

On July 14th, CVE-2025-48927 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

To read the complete article see: Active Exploit Attempts Signal-based Messaging App

See technical write up here: Technical Write Up