CISA Known Exploited Vulnerability (KEV)
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
July 1, 2025
July 22, 2025
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.
References
Weakness Enumeration
CWE-ID | CWE Name |
---|---|
CWE-1188 |
Initialization of a Resource with an Insecure Default |