TrueConf Client Zero-Day CVE-2026-3502 Exploited in TrueChaos Campaign

CVE-2026-3502 is a download-of-code-without-integrity-check vulnerability (CWE-494) in TrueConf Client video conferencing software. The flaw was exploited as a zero-day in a campaign named "TrueChaos" attributed to a Chinese-nexus threat actor, targeting government entities in Southeast Asia beginning in early 2026. The vulnerability allows attackers to distribute tampered update payloads that execute arbitrary code on victim systems, effectively turning the software update mechanism into an attack vector. CISA added CVE-2026-3502 to its Known Exploited Vulnerabilities catalog on April 2, 2026, with a remediation due date of April 16, 2026. The campaign represents a sophisticated supply-chain style attack leveraging trusted software update channels. Recommended mitigations: Apply available TrueConf patches immediately, verify software update integrity, restrict TrueConf update server access, and monitor for anomalous update activity in government networks.