A high-severity flaw in the TrueConf client has been exploited in the wild as a zero-day in a campaign targeting government networks in Southeast Asia, tracked as TrueChaos. The vulnerability, CVE-2026-3502 (CVSS 7.8), stems from a lack of integrity checking when fetching update code, allowing a tampered update to be distributed and arbitrary code to run. It has been patched in the TrueConf Windows client starting with version 8.5.3, released earlier in March 2026.
According to Check Point, the flaw enables an attacker who controls an on-premises TrueConf server to substitute the update package and spread malicious files to all connected endpoints, exploiting the client’s updater validation.
The TrueChaos activity appears to weaponise this by deploying the Havoc open-source C2 framework on vulnerable machines, with attribution described as moderate confidence to a Chinese-nexus threat actor; attacks were first recorded by the firm at the start of 2026, using DLL side-loading and a trusted update flow to widen the compromise.