CVE-2026-3502
Published: 30 March 2026
Summary
CVE-2026-3502 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Trueconf Trueconf. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 7.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
TrueConf Client is affected by a vulnerability in which the application downloads and applies update payloads without performing any integrity verification. This flaw, tracked as CVE-2026-3502 and assigned CWE-494, allows an attacker positioned to control or intercept the update delivery channel to supply a malicious payload that executes with the privileges of the updating process or user. The issue carries a CVSS 3.1 score of 7.8.
An attacker with the ability to influence the update path, such as through network position or a compromised distribution server, can substitute a tampered binary. Successful exploitation results in arbitrary code execution on the target system, potentially granting full control over the affected client installation.
The referenced TrueConf advisory describes remediation in version 8.5, while Check Point research details active exploitation of the flaw in campaigns against Southeast Asian government targets under the name Operation TrueChaos. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild use. The associated EPSS score has remained low and stable.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17162
Vulnerability details
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this…
more
may result in arbitrary code execution in the context of the updating process or user.
- CWE(s)
- KEV Date Added
- 02 April 2026
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables tampering with unverified software updates for supply chain compromise (T1195.002) and exploitation of client-side updater for arbitrary code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic signing of software components so that tampered update payloads are rejected before execution.
Mandates integrity verification of software and updates, directly blocking the unsigned/tampered payload described in the CVE.
Implements tamper-resistance mechanisms on delivered components, mitigating substitution attacks on the update delivery path.