What is the CVSS score of CVE-2025-48928?

CVE-2025-48928 has a CVSS 3.1 base score of 4.0 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 8.3%.

Which versions of Telemessage are affected by CVE-2025-48928?

Organizations using TeleMessage service through 2025-05-05 should be aware of moderate risk from CVE-2025-48928 rated CVSS 4.0. Exploitation could compromise the security of affected deployments.

Is CVE-2025-48928 being actively exploited?

Yes, CVE-2025-48928 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-48928?

Within 24 hours: Identify affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Telemessage CVE-2025-48928

MEDIUM

Exposure of Core Dump File to an Unauthorized Control Sphere (CWE-528)

2025-05-28 cve@mitre.org

Information Disclosure Telemessage

4.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:44 vuln.today

Added to CISA KEV

Nov 05, 2025 - 19:25 cisa

CISA KEV

CVE Published

May 28, 2025 - 17:15 nvd

MEDIUM 4.0

DescriptionNVD

AnalysisAI

The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-528. The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025. Affected products include: Smarsh Telemessage. Version information: through 2025.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-48928 vulnerability details – vuln.today

Back

Telemessage CVE-2025-48928

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code