TrueConf Client Zero-Day CVE-2026-3502 Exploited Against Governments
Summary
A high-severity zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in TrueConf video conferencing client allows attackers to substitute tampered update packages for arbitrary code execution. The flaw has been actively exploited against government entities in Southeast Asia by a suspected Chinese-nexus threat actor. CISA added this CVE to its Known Exploited Vulnerabilities catalog on April 2, 2026, with a remediation deadline of April 16, 2026.
Threat Analysis
CVE-2026-3502 is a high-severity Download of Code Without Integrity Check vulnerability in TrueConf Client (CVSS 7.8). The flaw exists because the TrueConf client does not validate the integrity of update packages fetched from the server. An attacker who controls an on-premises TrueConf server — or can intercept the update delivery path — can substitute the legitimate update with a malicious payload, resulting in arbitrary code execution on the client machine.
Affected Products: TrueConf Windows Client versions prior to 8.5.3.
Exploitation Status: Actively exploited in the wild. The campaign, dubbed "TrueChaos," targeted government entities in Southeast Asia. Attackers deployed the open-source Havoc command-and-control (C2) framework post-exploitation. The campaign is attributed with moderate confidence to a Chinese-nexus threat actor.
Recommended Mitigations: Update TrueConf Windows Client to version 8.5.3 or later immediately. Federal agencies must comply with CISA BOD 22-01 and remediate by April 16, 2026. Organizations should also review TrueConf server access controls and monitor for unauthorized update package modifications.