# Hacker Reconnaissance Work Continues on TeleMessage App Vulnerability — Report
A recent report from threat intelligence company GreyNoise has revealed that hacker reconnaissance work is still ongoing on the TeleMessage app vulnerability, CVE-2025-48927. As of Wednesday, at least 11 IP addresses have actively tried to exploit the vulnerability, with thousands more addresses possibly engaging in reconnaissance work.
The GreyNoise tag, which monitors attempts to take advantage of the vulnerability, has detected these 11 IP addresses that have attempted the exploit since April. However, it is likely that many more IP addresses are performing reconnaissance work, with a total of 2,009 IPs searching for Spring Boot Actuator endpoints in the past 90 days and 1,582 IPs specifically targeting the /health endpoints.
The vulnerability allows hackers to extract data from vulnerable systems, which could be particularly concerning for government organizations and enterprises that use TeleMessage. According to Howdy Fisher, a member of the GreyNoise team, "TeleMessage has stated that the vulnerability has been patched on their end." However, patch timelines can vary depending on various factors.
GreyNoise recommends several measures to mitigate the risk associated with this vulnerability. These include blocking malicious IPs and disabling or restricting access to the /heapdump endpoint. Additionally, limiting exposure to Actuator endpoints may be helpful in reducing the attack surface.
# The TeleMessage Vulnerability: What You Need to Know
TeleMessage is a messaging app similar to Signal, but it allows for the archiving of chats for compliance purposes. Based in Israel, the company was acquired by US-based Smarsh in 2024, before temporarily suspending services after a security breach in May that resulted in files being stolen from the app.
The vulnerability at play is related to the platform's continued use of a legacy confirmation in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication. This allows hackers to extract sensitive data from vulnerable systems.
# The Consequences for TeleMessage Users
The TeleMessage vulnerability could be significant for its users, who may include former US government officials, government organizations, and enterprises. These organizations rely on the app for secure communication and data archiving purposes.
The potential consequences of this vulnerability are severe, with hackers potentially extracting sensitive information from vulnerable systems. It is essential for TeleMessage users to take proactive measures to mitigate this risk, such as blocking malicious IPs and disabling or restricting access to the /heapdump endpoint.
# Related Security Threats
In addition to the TeleMessage vulnerability, there have been several other notable security threats in recent months. These include:
* Physical "wrench attacks" on Bitcoin holders * High-profile incidents such as the February hack of crypto exchange Bybit * Attempts to steal credentials using phishing attacks, malicious malware, and social engineering
It is essential for users to be aware of these threats and take steps to protect themselves.
# Crypto Theft Rising in 2025
According to Chainalysis' latest crime report, over $2.17 billion has been stolen so far in 2025, a pace that would take crypto-related thefts to new highs. These thefts often involve phishing attacks, malicious malware, and social engineering.
It is essential for users to be vigilant and take proactive measures to protect themselves from these threats.
# Conclusion
The TeleMessage vulnerability highlights the ongoing threat landscape and the need for users to stay informed about potential security risks. By taking proactive measures such as blocking malicious IPs and disabling or restricting access to vulnerable endpoints, users can mitigate the risk associated with this vulnerability.