Cybersecurity experts are reporting ongoing reconnaissance activity targeting a known vulnerability in the TeleMessage application, a modified version of the Signal app used by government organizations and enterprises for secure communication and archiving. The vulnerability, identified as CVE-2025-48927, has been actively exploited since its initial disclosure in May 2025.

According to a report by threat intelligence firm GreyNoise, multiple attacks have been detected that exploit this vulnerability in TeleMessage's Signal clone app. As of mid-July 2025, GreyNoise identified 11 IP addresses actively attempting to leverage the flaw to compromise user credentials and data. The vulnerability allows threat actors to potentially expose usernames, passwords, and other sensitive information in plaintext.

The root cause of the vulnerability lies in the platform's continued use of a legacy configuration in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication. This allows anyone to download a memory dump of the running application, which may include plaintext usernames, passwords, encryption keys, and active session tokens for TeleMessage's backend and archive systems.

GreyNoise also reported that a total of 2,009 IP addresses have been observed scanning for Spring Boot Actuator endpoints in the past 90 days, with 1,582 IPs specifically targeting the /health endpoints. These endpoints are commonly used to detect Spring Boot Actuator deployments, and this reconnaissance activity could be a precursor to broader exploitation attempts.

TeleMessage, an Israel-based company acquired by Smarsh in 2024, provides modified versions of encrypted messaging apps like Signal, Telegram, and WhatsApp to allow organizations to archive messages for compliance purposes. The company came under scrutiny after it was revealed that former U.S. National Security Advisor Mike Waltz and other government officials were using TeleMessage's modified version of Signal.

In May 2025, TeleMessage temporarily suspended its services after a security breach resulted in the theft of files from the app. The breach exposed archived but unencrypted copies of messages, contact information of government officials, and backend login credentials for TeleMessage. Data pertaining to U.S. Customs and Border Protection, crypto exchange Coinbase, and financial service providers like Scotiabank were also compromised.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48927 to its Known Exploited Vulnerabilities catalog and recommended remediation of the bug by July 22, 2025. CISA also added another security defect, CVE-2025-48928, to its KEV catalog, urging federal agencies to patch them.

Security experts recommend that users block malicious IPs and disable or restrict access to sensitive endpoints to mitigate the risk of exploitation. The incident highlights the risks associated with modifying encrypted messaging apps for compliance purposes, as these modifications can introduce security vulnerabilities. It also underscores the importance of robust security practices, including runtime application testing and adherence to security policies.