A critical vulnerability in TeleMessage’s systems (CVE-2025-48927) is being actively exploited by multiple threat actors, exposing significant security risks for cryptocurrency exchanges and government entities. The flaw, centered on the Spring Boot Actuator’s /heapdump endpoint, has been targeted by at least eleven distinct IP addresses since April.
Security intelligence firm GreyNoise reports over 2,000 IP addresses scanning for vulnerable Spring Boot Actuator endpoints within the past three months, with 1,582 systems identified as susceptible to exploitation. While TeleMessage has developed a security patch, inconsistent deployment timelines across client organizations leave numerous systems unprotected against ongoing attacks.
This exploitation occurs against a backdrop of heightened cryptocurrency thefts globally, including high-profile exchange breaches like the Bybit incident and physical attacks targeting Bitcoin holders. The threat carries amplified consequences given TeleMessage’s client roster—which spans government agencies and major crypto platforms such as Coinbase—potentially enabling far-reaching data compromise and regulatory compliance failures.
The convergence of this vulnerability exploitation with surging crypto thefts underscores critical infrastructure vulnerabilities, emphasizing the need for accelerated security updates across financial technology providers.