{"id":14470,"date":"2025-07-18T22:57:04","date_gmt":"2025-07-18T22:57:04","guid":{"rendered":"https:\/\/newestek.com\/?p=14470"},"modified":"2025-07-18T22:57:04","modified_gmt":"2025-07-18T22:57:04","slug":"threat-actors-scanning-for-apps-incorporating-vulnerable-spring-boot-tool","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14470","title":{"rendered":"Threat actors scanning for apps incorporating vulnerable Spring Boot tool"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Enterprise admins who haven\u2019t yet mitigated a two-month-old vulnerability in apps that incorporate the open source Spring Boot tool could be in trouble: Attempts to exploit the hole are still ongoing.<\/p>\n

Spring Boot is a tool helps developers use Java-based frameworks to create microservices and web apps. According to an April report by Amigoscode<\/a>, a learning platform for developers, Spring Boot \u201cremains one of the most powerful and widely adopted frameworks for Java developers in 2025.\u201d<\/p>\n

The flaw was first reported in May<\/a> after being found in TeleMessage SGNL, an enterprise messaging system similar to Signal that also captures and archives mobile messages.<\/p>\n

However, researchers at GreyNoise reported<\/a> that at least 11 IP addresses were trying to exploit applications containing the vulnerability (CVE-2025-48927) this week alone. On Friday afternoon, after news reports repeated the GreyNoise alert, the number of IP addresses scanning for the vulnerability had jumped to over 1,000.<\/a><\/p>\n

GreyNoise said over 2,000 IP addresses have scanned for Spring Boot Actuator endpoints in the past 90 days.\u00a0Of them, 1,582 IPs specifically targeted the\u00a0\/health<\/em>\u00a0endpoints, commonly used to detect internet-exposed Spring Boot deployments.\u00a0<\/p>\n

If vulnerable implementations of apps, including TeleMessage SGNL, are found, they could be exploited to steal sensitive data in heap memory, including plaintext usernames and passwords. The hole is serious enough that it was added this week to the US Cybersecurity and Infrastructure Security Agency\u2019s Known Exploited Vulnerabilities Catalog<\/a>.<\/p>\n

It isn\u2019t clear how many Spring Boot-related endpoints are still at risk. A GreyNoise researcher this week found that many devices are still open and vulnerable to the exploit.<\/p>\n

How Spring Boot is used<\/h2>\n

GreyNoise says the problem in TeleMessage SGNL stems from the platform\u2019s continued use of a legacy configuration in Spring Boot Actuator in which a diagnostic\u00a0\/heapdump<\/em>\u00a0endpoint is publicly accessible on the internet, without authentication.<\/p>\n

Mitigating the vulnerability in any application that uses Spring Boot is relatively easy: Block access to all Spring Boot endpoints other than\u00a0\/info\u00a0and\u00a0\/health.<\/p>\n

TeleMessage SGNL is sold by US-based Smarsh, which offers a number of archiving, communication compliance, information governance, and data migration solutions. It isn\u2019t clear how extensively Smarsh is currently marketing TeleMessage SGNL; there is a home page for the application<\/a>, but no links within it to get more information about the product.<\/p>\n

CSO left an email message, and asked a Smarsh sales representative about getting comment on the vulnerability, but no response had been received by press time.<\/p>\n

TeleMessage SGLN\u2019s user base is much smaller than Signal\u2019s, notes Ed Dubrovsky<\/a>, chief operating officer of incident response firm Cypher, so the possible impact of this vulnerability is smaller.<\/p>\n

However, he noted, exploitation of the flaw allows remote copying of up to 150MB of data from the app\u2019s heap memory, which, if it includes text messages, \u201ccan present a serious concern.<\/p>\n

Beware of clone apps<\/h2>\n

\u201cFrom a CISO\/CSO perspective, the use of clone apps should be discouraged unless there is a very specific reason for such usage,\u201d he added. \u201cThe main reason is that as the audience grows smaller, these clone applications do not get nearly enough attention from their developers, increasing risks of zero day and other vulnerabilities.\u201d <\/p>\n

\u201cFinally,\u201d he said, \u201cremind users to not re-use logins\/passwords and limit information shared in text apps to non-confidential information.\u201d<\/p>\n

Robert Beggs<\/a>, head of Canadian incident response firm Digital Defence, noted other security issues that TeleMessage SGNL users should be aware of that were also reported in May. The US National Institute for Standards and Technology (NIST) reports that this application uses MD5 for password hashing<\/a>, \u201cwhich opens up various attack possibilities (including rainbow tables) with low computational effort\u201d (CVE-2025-48931). <\/p>\n

MD5 is an outdated encryption method and is known to be insecure, he said in an email.\u00a0He also pointed out that NIST says these hashed passwords can be accepted by TeleMessage SGNL as an authentication credential (CVE-2025-48925).<\/p>\n

\u201cTo some extent, TeleMessage SGNL \u2018rode on the back\u2019 of Signal\u2019s end-to-end security claims, copying their look and feel for the interface,\u201d Beggs said.\u00a0Given that fact, he asked, \u201chow does a CISO differentiate third party products from the original products that may have stronger security in place?\u201d\u00a0\u00a0<\/p>\n

The vulnerabilities highlight a potential risk, he said:\u00a0 A Trojan application operated by a hostile country or organized hacker group that is designed to appear security compliant could surreptitiously collect unencrypted data on the backend.\u00a0\u201cGovernments, financial institutions, and organizations looking to protect intellectual property could be at risk from this type of attack,\u201d he said.\u00a0\u201cThe data could be used as the ultimate insider threat.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Enterprise admins who haven\u2019t yet mitigated a two-month-old vulnerability in apps that incorporate the open source Spring Boot tool could be in trouble: Attempts to exploit the hole are still ongoing. Spring Boot is a tool helps developers use Java-based frameworks to create microservices and web apps. According to an April report by Amigoscode, a learning platform for developers, Spring Boot \u201cremains one of the… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14470","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14470"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14470\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}