CVE-2026-3502
Published: 30 March 2026
Summary
CVE-2026-3502 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Trueconf Trueconf. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 14.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-7 requires verification of software integrity prior to installation or update, directly preventing execution of tampered update payloads.
CM-14 mandates digitally signed software components, ensuring update authenticity and blocking substituted malicious payloads.
SI-3 deploys malicious code protection at entry points to block or detect tampered updates containing arbitrary code execution payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables tampering with unverified software updates for supply chain compromise (T1195.002) and exploitation of client-side updater for arbitrary code execution (T1203).
NVD Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this…
more
may result in arbitrary code execution in the context of the updating process or user.
Deeper analysisAI
CVE-2026-3502 is a vulnerability in the TrueConf Client application, where it downloads update code and applies it without performing verification. This flaw, published on 2026-03-30 and associated with CWE-494, allows an attacker who can influence the update delivery path to substitute a tampered update payload. If executed or installed by the updater, the payload may lead to arbitrary code execution in the context of the updating process or the user, with a CVSS v3.1 base score of 7.8 (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L).
Exploitation requires adjacent network access, low complexity, high privileges, and user interaction, such as a user triggering the update process. An attacker able to compromise or intercept the update delivery path can deliver a malicious payload disguised as legitimate software, achieving arbitrary code execution upon installation. This grants high impacts to confidentiality and integrity, with low availability impact and changed scope.
Advisories provide mitigation details, including TrueConf's release notes for version 8.5 at https://trueconf.com/blog/update/trueconf-8-5, which likely addresses the update verification issue. Checkpoint Research documents 0-day exploitation in Operation TrueChaos targeting Southeast Asian government entities (https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/), and CISA lists it in the Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502), urging immediate patching.
This vulnerability has confirmed real-world exploitation as a zero-day against government targets, highlighting risks in video conferencing software update mechanisms.
Details
- CWE(s)
- KEV Date Added
- 02 April 2026