- Trending
- Comments
- Latest
A critical flaw in the TeleMessage app (CVE-2025-48927) has sparked a surge in cyberattacks, with threat actors aggressively probing vulnerable systems.
According to a new report from threat intelligence firm GreyNoise, at least 11 IP addresses have actively attempted to exploit the TeleMessage app vulnerability since April, while over 2,000 additional IPs may be conducting reconnaissance.
The flaw, which exposes sensitive user data, highlights escalating risks for government agencies and enterprises reliant on the compliance-focused messaging platform.
The TeleMessage app vulnerability stems from an unsecured legacy feature in Spring Boot Actuator, a tool used for monitoring applications. Hackers can exploit the publicly accessible /heapdump endpoint to extract data without authentication.
“This isn’t just a theoretical risk—attackers are actively trying to steal data from unpatched systems,” said Howdy Fisher, a GreyNoise researcher. “While TeleMessage has patched the issue, delays in user-side updates leave many exposed.”
GreyNoise’s data reveals 1,582 IPs specifically targeting the /health endpoint, a common indicator of Spring Boot Actuator deployments. The TeleMessage app vulnerability is particularly concerning given its user base, which includes U.S. Customs and Border Protection, crypto exchange Coinbase, and former government officials like Congressman Mike Waltz.
Unlike consumer-focused apps, TeleMessage is designed for regulated industries, offering message archiving for compliance. Its acquisition by U.S. firm Smarsh in 2024 raised its profile, but a May 2024 breach, which saw hackers steal app files, already eroded trust.
“This isn’t just about leaked chats. For government and corporate users, it could mean compromised sensitive communications,” a cybersecurity analyst familiar with the TeleMessage app vulnerability told Cointelegraph under anonymity.
The timing amplifies concerns: 2025 has seen record crypto thefts ($2.17 billion so far, per Chainalysis), with hackers employing phishing, malware, and even physical “wrench attacks” to steal assets. The TeleMessage app vulnerability adds another vector for credential harvesting.
GreyNoise urges users to:
Block malicious IPs linked to exploitation attempts.
Disable the /heapdump endpoint or restrict its access.
Limit exposure to Actuator endpoints.
Despite TeleMessage’s assurances that patches are deployed, experts warn that delayed updates—common in large organizations—prolong the risk.
“Patch timelines vary. Not every user applies fixes immediately,” Fisher emphasized.
The TeleMessage app vulnerability fits a broader trend of high-value digital exploits. Recent months have seen:
The February hack of Bybit, draining millions in crypto.
Darknet markets selling credentials for thousands of dollars.
Social engineering schemes targeting crypto holders.
With 2,009 IPs scanning for Spring Boot Actuator endpoints in 90 days, the TeleMessage app vulnerability may be the tip of the iceberg.
While TeleMessage has addressed the flaw, systemic delays in cybersecurity hygiene leave organizations exposed. For compliance-dependent users, proactive mitigation is non-negotiable.
Copyright © 2025 - The Bit Gazette.
