Pierluigi Paganini
April 04, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog.
TrueConf is a videoconferencing platform often used in secure, offline networks by governments and critical sectors, making it a valuable target.
CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system.
Researchers warn that threat actors are compromising TrueConf servers in government environments, exploiting the CVE-2026-3502 flaw to malicious updates.
Attackers replaced update files with malicious ones, tricking users into installing them. This delivered the Havoc framework, enabling control, surveillance, and persistence.
“The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available. Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponize\d version, ensuring that the client retrieved a malicious file through the normal update process.” reported Check Point. “The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.”
Checkpoint researchers tracked this wave of attacks as Operation TrueChaos and link it to a China-aligned threat actor with moderate confidence, citing tactics like DLL sideloading, use of Alibaba and Tencent infrastructure, and targeted victims. The same victim was also hit by ShadowPad, suggesting shared tools, access, or multiple Chinese-linked actors targeting it simultaneously.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by April 16, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
