CVE-2026-3502

HIGH

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVSS v3.1 Score

7.8

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Attack Vector

ADJACENT_NETWORK

Complexity

LOW

Privileges

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Published: 3/30/2026Modified: 4/2/2026

Related Intelligence (3)

MEDIUMVulnerability

CISA Adds One Known Exploited Vulnerability to Catalog

<p>CISA has added one new vulnerability to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation. </p> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-3502" target="_blank">CVE-2026-3502</a> TrueConf Client Download of Code Without Int

CVE-2026-3502

19h agoCISA Advisories

HIGHVulnerability

CISA KEV: TrueConf Client — TrueConf Client Download of Code Without Integrity Check Vulnerability

TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVE-2026-3502TrueConf Client

1d agoCISA KEV

CRITICALZero Day

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

CVE-2026-3502

2d agoThe Hacker News

References (3)

https://trueconf.com/blog/update/trueconf-8-5 https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502

Command Palette

CVE-2026-3502

CVSS v3.1 Score

Related Intelligence (3)

CISA Adds One Known Exploited Vulnerability to Catalog

CISA KEV: TrueConf Client — TrueConf Client Download of Code Without Integrity Check Vulnerability

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

References (3)