CRITICALZero Day
Global

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

Tuesday, March 31, 2026 at 04:03 PM UTC·Source: The Hacker News

Updated: Wednesday, April 1, 2026 at 07:13 PM UTC

Executive Summary

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

Analysis

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

Indicators of Compromise (1)

CVE (1)
CVE-2026-3502
NVDMITRE CVE
Source Attribution

Originally published by The Hacker News on Mar 31, 2026.

Related Threats

LOWZero Day

EvilTokens abuses Microsoft device code flow for account takeovers

A new phishing-as-a-service (PhaaS) campaign is abusing Microsoft’s device code authentication flow to gain unauthorized access to user accounts. Sekoia researchers first spotted the toolkit “EvilTokens” that lets attackers capture authentication tokens by tricking users into completing a legitimate login process in Microsoft’s own environment. The activity, observed since at least mid-February, r

CSO Online
MEDIUMVulnerability

CISA Adds One Known Exploited Vulnerability to Catalog

<p>CISA has added&nbsp;one&nbsp;new&nbsp;vulnerability&nbsp;to its&nbsp;<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.&nbsp;</p> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-3502" target="_blank">CVE-2026-3502</a>&nbsp;TrueConf&nbsp;Client Download of Code Without Int

CVE-2026-3502
CISA Advisories
CRITICALZero Day

Cybersecurity in the age of instant software

AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand — a spreadsheet, for example — and delete it when you’re done using it than to buy one commercially. Future systems could include a

CSO Online