HOMEVULNERABILITIESCVE-2026-3502
HIGHCISA KEVIN THE WILD

CVE-2026-3502

CWE-494Published: March 30, 2026· Updated: Apr 3, 2026

7.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:0.9th

Official Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

NVD Source

Risk Analysis

This high-severity vulnerability in TrueConf Client allows for arbitrary code execution due to a lack of update verification. An attacker could substitute a malicious update, leading to system compromise. This is a critical concern as it is confirmed to be exploited in the wild.

This vulnerability is actively exploited in the wild. An attacker needs to be able to influence the update delivery path to substitute a tampered update payload.

Recommended Action

Update TrueConf Client to a patched version as soon as one is available. Ensure that all software updates are downloaded from trusted sources and verified for integrity.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-3502 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), with a CVSS base score of 7.8.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CISA has added CVE-2026-3502 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityLow
Privileges Req.High
User InteractionRequired
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityLow
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Affected Vendors & Products

trueconf1 product
trueconf
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-3502

CISA Adds One Known Exploited Vulnerability to Catalog
CISA Alerts· Apr 2, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB net [xlite_meta score:48 src:CISA Alerts xlite_fp:450fe439b9066ce9c996c7a7e4307e6c62cbb863ba5ed2a5efdb53dad6e1ecf6]

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
The Hacker News· Mar 31, 2026

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, [xlite_meta score:56 src:The Hacker News xlite_fp:8ef25a81be66f64c34605d764436b2a4f185c47993b9dd228373c0b805e67045]

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
Check Point Research· Mar 31, 2026

Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […] The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research. [xlite_meta score:44 src:Check Point Research xlite_fp:979772a1d68034cd6954254bd536cec397644dad4e23df9f9f33b99369a12f3c]

All References (3)

Quick Facts

CVE IDCVE-2026-3502
CVSS Score7.8 / 10
SeverityHIGH
WeaknessCWE-494
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)0.01%
Affected1 vendor
PublishedMar 30, 2026

Known Threat Actors

chaos
financial
wa
financial
Chaos
financial
vect
financial
pear
financial
core
financial

Related CVEs (CWE-494)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-3502 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.