CVE-2026-3502

CVE-2026-3502 is a vulnerability in the TrueConf Client application, where it downloads update code and applies it without performing verification. This flaw, published on 2026-03-30 and associated with CWE-494, allows an attacker who can influence the update delivery path to substitute a tampered update payload. If executed or installed by the updater, the payload may lead to arbitrary code execution in the context of the updating process or the user, with a CVSS v3.1 base score of 7.8 (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L).

Exploitation requires adjacent network access, low complexity, high privileges, and user interaction, such as a user triggering the update process. An attacker able to compromise or intercept the update delivery path can deliver a malicious payload disguised as legitimate software, achieving arbitrary code execution upon installation. This grants high impacts to confidentiality and integrity, with low availability impact and changed scope.

Advisories provide mitigation details, including TrueConf's release notes for version 8.5 at https://trueconf.com/blog/update/trueconf-8-5, which likely addresses the update verification issue. Checkpoint Research documents 0-day exploitation in Operation TrueChaos targeting Southeast Asian government entities (https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/), and CISA lists it in the Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502), urging immediate patching.

This vulnerability has confirmed real-world exploitation as a zero-day against government targets, highlighting risks in video conferencing software update mechanisms.