CISA Warns of TeleMessage TM SGNL Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities affecting TeleMessage TM SGNL to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2025, warning that these security vulnerabilities have been actively exploited in the wild.

Organizations using the TeleMessage TM SGNL platform are urged to take immediate action to address these vulnerabilities before the July 22, 2025 deadline.

Organizations have three primary options for addressing these vulnerabilities: implementing mitigations according to vendor-provided instructions, following applicable BOD 22-01 guidance specifically designed for cloud services, or discontinuing use of the affected product entirely if adequate mitigations cannot be implemented.

The agency has issued clear guidance for organizations currently using TeleMessage TM SGNL products, emphasizing the critical nature of these vulnerabilities and the potential for serious security breaches.

TeleMessage TM SGNL Vulnerabilities

The vulnerabilities affecting TeleMessage TM SGNL present serious security risks through multiple attack vectors:

CVE-2025-48927 – Insecure Default Configuration:

• Involves initialization of resources with insecure default settings.
• Specifically targets Spring Boot Actuator component configuration.
• Creates dangerous exposure through unprotected heap dump endpoint.
• Accessible via /heapdump URI without proper authentication.
• Classified under CWE-1188 (insecure default initialization patterns).

CVE-2025-48928 – Core Dump File Exposure:

• Exposes core dump files to unauthorized control spheres.
• Affects JSP applications within the TeleMessage platform.
• Heap content functions as a comprehensive core dump containing sensitive data.
• Can expose passwords previously transmitted over HTTP connections.
• Credentials become embedded within accessible dump files.
• Falls under CWE-528 (unauthorized exposure of sensitive system information).

Both vulnerabilities work in tandem to provide attackers with comprehensive access to system internals and sensitive authentication data, making them particularly dangerous when exploited together.

Immediate Action Required for Organizations

CISA has classified both vulnerabilities as requiring urgent attention, though it remains unknown whether these security vulnerabilities have been specifically leveraged in ransomware campaigns.

Organizations have three primary options for addressing these vulnerabilities: implementing mitigations according to vendor-provided instructions, following applicable BOD 22-01 guidance specifically designed for cloud services, or discontinuing use of the affected product entirely if adequate mitigations cannot be implemented.

The inclusion of these vulnerabilities in CISA’s KEV catalog indicates that threat actors are actively exploiting these weaknesses, making immediate remediation essential for maintaining organizational security posture.

The July 22, 2025 deadline provides organizations with a three-week window to implement necessary security measures.

This timeline aligns with CISA’s standard practice of providing reasonable remediation periods while emphasizing the urgent nature of actively exploited vulnerabilities.

Federal agencies and organizations following federal cybersecurity guidelines are particularly urged to prioritize these remediations within their vulnerability management frameworks.

CISA maintains the KEV catalog as the authoritative source for vulnerabilities confirmed to be exploited in real-world attacks, serving as a critical resource for cybersecurity professionals and network defenders.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.