Telemessage
CVE-2025-48929
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary.
AnalysisAI
The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-922. The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary. Affected products include: Smarsh Telemessage. Version information: through 2025.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Telemessage
View allThe TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM
The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibiliti
The TeleMessage service through 2025-05-05 stores certain cleartext information in memory, even though memory content ma
The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent
The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heap
The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail addresses,
The TeleMessage service through 2025-05-05 relies on the client side (e.g., the TM SGNL app) to do MD5 hashing, and then
Same weakness CWE-922 – Insecure Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today