GreyNoise Reports Continued Exploitation of TeleMessage CVE-2025-48927

Threat intelligence provider GreyNoise confirms ongoing attempts to exploit CVE-2025-48927, a vulnerability impacting TeleMessage’s Spring Boot Actuator configuration.

Despite TeleMessage confirming internal patches, GreyNoise’s monitoring tag detected 11 distinct IP addresses actively probing the flaw since April 2025.

Beyond direct exploitation, extensive reconnaissance is underway, with a total of 2,009 IP addresses scanning for Spring Boot Actuator endpoints over the past 90 days, of which 1,582 specifically targeted the commonly queried /health endpoint.

The critical vulnerability stems from an unpatched legacy feature allowing unauthenticated access to the diagnostic /heapdump endpoint, potentially enabling data extraction from affected systems.

TeleMessage, a communication platform similar to Signal offering compliance features and recently acquired by Smarsh following a May security incident, confirms the vulnerability is patched internally. GreyNoise advises users to block malicious IPs and restrict the /heapdump endpoint.

This vulnerability poses particular risk to TeleMessage’s enterprise and government clients, including users like Coinbase.

Related: GreyNoise Identifies Records of Exploits Targeting Spring Boot Actuator

Chainalysis’ latest crime report highlights a surge in cryptocurrency theft in 2025, with over $2.17 billion stolen to date, potentially surpassing annual records.

Notable recent incidents include the February hack of crypto exchange Bybit and ongoing physical security compromises known as “wrench attacks.”

Crypto theft methods frequently involve sophisticated phishing attacks, specialized malware, and elaborate social engineering schemes targeting user credentials.

Coinbase hack demonstrates legal protections often fall short against significant security breaches.