July 18, 2025 By Bill Toulas
Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data.
TeleMessage SGNL is a Signal clone app now owned by Smarsh, a compliance-focused company that provides cloud-based or on-premisses communication solutions to various organizations.
Scanning for vulnerable endpoints
Threat monitoring firm GreyNoise has observed multiple attempts to exploit CVE-2025-48927, likely by different threat actors.
“As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927,” reports GreyNoise.
“Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints, a potential precursor to identifying systems affected by CVE-2025-48927.”
According to GreyNoise, more than two thousand IPs have scanned for Sprint Boot Actuator endpoints over the past months, a little over 75% of them targeting the ‘/health’ endpoints specifically.
