THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in TrueConf Client, tracked as CVE-2026-3502 with a CVSS score of 7.8, to its Known Exploited Vulnerabilities (KEV) catalog. TrueConf is a videoconferencing platform used in secure, offline networks by governments and critical sectors, making it a valuable target.
The flaw allows the TrueConf Client to download and install updates without verifying them, enabling attackers who can tamper with the update source to deliver malicious files and cause arbitrary code execution on the system.
Researchers warn that threat actors are compromising TrueConf servers in government environments, exploiting the CVE-2026-3502 flaw to deliver malicious updates, with attackers replacing update files on on‑premises servers so the client retrieves the malicious package through the normal update process.
Check Point tracked this wave as Operation TrueChaos and linked it to a China‑aligned threat actor using tactics such as DLL sideloading and infrastructure from Alibaba and Tencent, affecting the same victim previously hit by ShadowPad. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified vulnerabilities, and CISA orders federal agencies to fix the vulnerability by 16 April 2026.