CVE-2026-3502

HIGH

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVSS v3.1 Score

7.8
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Attack Vector
ADJACENT_NETWORK
Complexity
LOW
Privileges
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
LOW
Published: 3/30/2026Modified: 4/3/2026

Related Intelligence (3)

MEDIUMVulnerability

CISA Adds One Known Exploited Vulnerability to Catalog

<p>CISA has added&nbsp;one&nbsp;new&nbsp;vulnerability&nbsp;to its&nbsp;<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.&nbsp;</p> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-3502" target="_blank">CVE-2026-3502</a>&nbsp;TrueConf&nbsp;Client Download of Code Without Int

CVE-2026-3502
CISA Advisories
HIGHVulnerability

CISA KEV: TrueConf Client — TrueConf Client Download of Code Without Integrity Check Vulnerability

TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVE-2026-3502TrueConf Client
CISA KEV
CRITICALZero Day

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

CVE-2026-3502
The Hacker News

References (3)

https://trueconf.com/blog/update/trueconf-8-5ProductRelease Noteshttps://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/Third Party Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502US Government Resource