Cyber Resilience

CVE-2026-3502

HighCISA KEVActive ExploitationEUVD Exploited

Published: 30 March 2026

Published
30 March 2026
Modified
03 April 2026
KEV Added
02 April 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.0575 92.1th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-3502 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Trueconf Trueconf. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 7.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

TrueConf Client is affected by a vulnerability in which the application downloads and applies update payloads without performing any integrity verification. This flaw, tracked as CVE-2026-3502 and assigned CWE-494, allows an attacker positioned to control or intercept the update delivery channel to supply a malicious payload that executes with the privileges of the updating process or user. The issue carries a CVSS 3.1 score of 7.8.

An attacker with the ability to influence the update path, such as through network position or a compromised distribution server, can substitute a tampered binary. Successful exploitation results in arbitrary code execution on the target system, potentially granting full control over the affected client installation.

The referenced TrueConf advisory describes remediation in version 8.5, while Check Point research details active exploitation of the flaw in campaigns against Southeast Asian government targets under the name Operation TrueChaos. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild use. The associated EPSS score has remained low and stable.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this…

more

may result in arbitrary code execution in the context of the updating process or user.

CWE(s)
KEV Date Added
02 April 2026

Related Threats

Threat-Actor AttributionAI

Operation TrueChaos
Checkpoint Research attributes 0-day exploitation of this TrueConf update flaw to Operation TrueChaos against SE Asian government targets.

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability enables tampering with unverified software updates for supply chain compromise (T1195.002) and exploitation of client-side updater for arbitrary code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15556Shared CWE-494both on KEV
CVE-2026-9089Shared CWE-494
CVE-2025-56513Shared CWE-494
CVE-2025-27593Shared CWE-494
CVE-2026-27180Shared CWE-494
CVE-2026-2999Shared CWE-494
CVE-2025-69263Shared CWE-494
CVE-2026-3000Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2026-40066Shared CWE-494

Affected Assets

trueconf
trueconf
≤ 8.5.3.884

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic signing of software components so that tampered update payloads are rejected before execution.

preventdetect

Mandates integrity verification of software and updates, directly blocking the unsigned/tampered payload described in the CVE.

prevent

Implements tamper-resistance mechanisms on delivered components, mitigating substitution attacks on the update delivery path.

References