Threat actors scanning for apps incorporating vulnerable Spring Boot tool | CSO Online

Critical Spring Boot vulnerability (CVE-2025-48927) continues to face active exploitation attempts two months after discovery, with over 1,000 IP addresses now scanning for vulnerable endpoints. Originally found in TeleMessage SGNL, an enterprise messaging platform, this flaw allows attackers to access up to 150MB of sensitive heap memory data including plaintext passwords through unsecured diagnostic endpoints. While Smarsh has remediated the issue in their TeleMessage environment, security researchers at GreyNoise report thousands of internet-exposed Spring Boot deployments remain vulnerable across enterprise applications. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, and Canadian cybersecurity experts warn organizations against using clone applications without proper security vetting, emphasizing that smaller user bases often receive inadequate developer attention for critical security updates. Enterprise administrators can mitigate risk by blocking access to all Spring Boot endpoints except /info and /health, while CISOs should implement stronger authentication controls and discourage password reuse across messaging platforms.​​​​​​​​​​​​​​​​