The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NSmarsh Telemessage
APPSmarshwszystkie wersje
CISA KEV — detailsi
- Vendori
- TeleMessage
- Producti
- TM SGNL
- Added to KEVi
- July 1, 2025
- Remediation deadline (US Federal)i
- July 22, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.
Related vulnerabilities
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly ...
The TeleMessage service through 2025-05-05 relies on the client side (e.g., the TM SGNL app) to do MD5 hashing...
The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail a...
The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., no...
The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) fr...