CISA Adds TelelMessage TM SGNL to KEV Catalog

CVE-2025-48927 — Insecure Spring Boot Heap Dump Exposure

📌 Description:

This vulnerability exists in TeleMessage TM SGNL due to an exposed Spring Boot Actuator /heapdump endpoint, accessible without authentication. This endpoint allows remote attackers to download a live memory snapshot (heap dump) of the running Java process.

🔓 Technical Breakdown:

• Actuator Endpoint: /heapdump provides a full binary memory snapshot.
• Exposure: In production deployments, this endpoint was left unsecured, accessible over the network.
• Attack Vector: Remote, unauthenticated HTTP GET request.
• Risk: Memory dump may include sensitive information such as:
  • Authentication tokens
  • Passwords in memory
  • Session identifiers
  • Internal API keys
  • Usernames and message fragments

🧮 CVSS v3.1 Base Score:

• 5.3 (Medium)
  Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

🚨 Impact:

• Unauthenticated attackers can exploit this to harvest sensitive in-memory data.
• Leaked credentials can be used for lateral movement or impersonation.

🛠 Recommended Mitigations:

• Immediately restrict or disable actuator endpoints in production.
• Apply vendor patches or hotfixes that remove or secure the /heapdump endpoint.
• Ensure proper access controls for internal application diagnostics.

CVE-2025-48928 — Memory Exposure via JSP Dump Mechanism

📌 Description:

A second critical vulnerability in TM SGNL exposes an internal JSP-based memory snapshot tool which outputs a core-dump-like memory file that is accessible by unauthorized users. This file includes plaintext credentials, access tokens, and other sensitive content.

⚠️ Technical Details:

• Vulnerable service provides a memory snapshot on request.
• Endpoint is not authenticated and exposed over the public network.
• Potentially a debug or legacy maintenance endpoint left active in production.

📚 CWE Reference:

• CWE-528: Exposure of Core Dump to Unauthorized Sphere

🚨 Risk and Impact:

• Leaks sensitive runtime information directly to attackers.
• Can lead to full compromise of user sessions, tokens, and system secrets.
• Enables reconnaissance, account takeover, or remote command execution (depending on the memory content leaked).

🛠 Recommended Mitigations:

• Identify and disable the vulnerable JSP endpoint.
• Patch the system using updated software from TeleMessage.
• Conduct forensic analysis on exposed logs and memory dumps for indicators of compromise (IoCs).
• Implement strict access control policies for all diagnostic tools.

📣 CISA Action and KEV Catalog Listing

🔔 KEV Directive Summary:

Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian executive branch agencies are required to:

• Identify affected assets.
• Apply mitigations or patches by July 22, 2025.
• Report compliance through official vulnerability tracking systems.

🔗 CISA’s Known Exploited Vulnerabilities Catalog

🧩 Broader Security Implications

⚠️ Why This Matters:

• TM SGNL is widely used in regulated environments (e.g., financial services, law enforcement, and federal agencies) for secure archiving and communication.
• These memory-related flaws effectively bypass application-level encryption and session management by exposing raw runtime data.
• The exploitation of these vulnerabilities could aid surveillance, data exfiltration, and credential harvesting in high-value environments.

✅ Recommendations for All Organizations

1. Identify exposed actuator/JSP endpoints using network scans or application layer reviews.
2. Apply all patches or configuration hardening from TeleMessage.
3. Review internal policies to disable debug/diagnostic tools in production environments.
4. Audit logs and network traffic for signs of unauthorized memory dump retrieval.
5. Implement Web Application Firewalls (WAFs) and endpoint protection to monitor for heap/core-dump access attempts.
6. Incorporate CISA KEV entries into your continuous vulnerability management program.