CVE-2026-3502
published 2026-03-30CVE-2026-3502: TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path…
PriorityP180high7.8CVSS 3.1
AVAACLPRHUIRSCCHIHAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-16
Exploited in the wild
EPSS
5.75%
92.1th percentile
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trueconf | trueconf | < 8.5.3.884 | 8.5.3.884 |
| trueconf | trueconf_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect UAC bypass via iscsicpl.exe executing from SysWOW64 with iscsiexe.dll sideloaded from %PATH% (TEMP directory) ↗
- →Alert on registry persistence key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck pointing to C:\ProgramData\PowerISO\PowerISO.exe ↗
- →Detect PATH hijacking via registry: reg add hkcu\environment setting PATH to C:\users\<user>\appdata\local\temp, used to force sideloading of iscsiexe.dll ↗
- →Monitor outbound FTP connections to 47.237.15[.]197 with credentials 'ftpuser' fetching update.7z, indicative of second-stage payload retrieval ↗
- →Flag network traffic to Havoc C2 IPs 43.134.90[.]60, 43.134.52[.]221, and 47.237.15[.]197 (Alibaba Cloud / Tencent hosted) ↗
- →Detect reconnaissance commands tasklist > cache and tracert 8.8.8.8 -h 5 executed in context of TrueConf update process ↗
- →Hunt for rom.dat artifact dropped alongside iscsiexe.dll as an indicator of the Havoc loader stage ↗
- ·Vulnerability only exploitable by an attacker who has already gained control of the on-premises TrueConf server; cloud-hosted deployments have a different trust boundary ↗
- ·The malicious update is delivered via the normal TrueConf update URL path; blocking or monitoring https://{trueconf_server}/downlods/trueconf_client.exe at the network level may help detect substitution ↗
- ·The update package on the server is stored at C:\Program Files\TrueConf Server\ClientInstFiles\ — integrity monitoring of this directory is recommended to detect tampering ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
TrueConf Client Download of Code Without Integrity Check Vulnerability
cisa·2026-04-02·CVSS 7.8
CVE-2026-3502 [HIGH] CWE-494 TrueConf Client Download of Code Without Integrity Check Vulnerability
Vulnerability: TrueConf Client Download of Code Without Integrity Check Vulnerability
Affected: TrueConf Client
TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://trueconf.com/blog/update/trueconf-8-5 ; https://trueconf.com/downloads/windows.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3502
Remediation Due Da
VulDB
TrueConf Client Application Update code download (Nessus ID 320363)
vuldb·2026-06-11·CVSS 7.8
CVE-2026-3502 [HIGH] TrueConf Client Application Update code download (Nessus ID 320363)
A vulnerability marked as problematic has been reported in TrueConf Client. The affected element is an unknown function of the component Application Update Handler. The manipulation leads to download of code without integrity check.
This vulnerability is traded as CVE-2026-3502. Access to the local network is required for this attack to succeed. Furthermore, there is an exploit available.
GHSA
GHSA-33r5-g5m3-5m79: TrueConf Client downloads application update code and applies it without performing verification
ghsa_unreviewed·2026-03-30
CVE-2026-3502 [HIGH] CWE-494 GHSA-33r5-g5m3-5m79: TrueConf Client downloads application update code and applies it without performing verification
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
VulnCheck
TrueConf Client Download of Code Without Integrity Check Vulnerability
vulncheck·2026·CVSS 7.8
CVE-2026-3502 [HIGH] CWE-494 TrueConf Client Download of Code Without Integrity Check Vulnerability
TrueConf Client Download of Code Without Integrity Check Vulnerability
TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Affected: TrueConf Client
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/; https://www.cisa.gov/sites/default/
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Checkpoint
6th April – Threat Intelligence Report
blogs_checkpoint·2026-04-06
CVE-2026-20093 6th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal sys
Bleepingcomputer
Hackers exploit TrueConf zero-day to push malicious software updates
blogs_bleepingcomputer·2026-04-01·CVSS 7.8
[HIGH] Hackers exploit TrueConf zero-day to push malicious software updates
## Hackers exploit TrueConf zero-day to push malicious software updates
## Bill Toulas
According to the vendor, more than 100,000 organizations transitioned to TrueConf during the COVID-19 pandemic for remote online business activities. Among TrueConf users are military forces, government agencies, oil and gas corporations, and air traffic management companies.
CheckPoint researchers have been tracking a campaign they track as TrueChaos that, since the beginning of the year, has exploited CVE-2026-3502 in zero-day attacks targeting government entities in Southeast Asia.
“An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected cl
Hackernews
TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
blogs_hackernews·2026-03-31·CVSS 7.8
[HIGH] TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos .
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code. It has been patched in the TrueConf Windows client starting with version 8.5.3 , released earlier this month
Checkpoint
Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
blogs_checkpoint·2026-03-31·CVSS 7.8
CVE-2026-3502 [HIGH] Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
## Key Points
Check Point Research identified a zero-day vulnerability in the TrueConf client applicati
2026-03-30
Published
2026-04-02
Added to CISA KEV
Exploited in the wild