SECURITYWEEK reports that a Chinese threat actor exploited a zero-day in the TrueConf video conferencing platform to conduct reconnaissance, privilege escalation, and deliver additional payloads in attacks against government entities in Asia, according to Check Point.
The flaw, tracked as CVE-2026-3502 with a CVSS of 7.8, arises because the application does not properly verify updates before applying them, enabling malicious code execution if tampered update code is delivered via the on-premises server–client update flow.
TrueConf can be deployed offline within private networks, and the on-premises server was compromised to replace the update package, with the same malicious update sent to multiple government entities, Check Point notes; the implanted components allowed reconnaissance, lateral movement preparation, persistence, and fetch of extra payloads, while contacting a C&C IP used by Havoc.
The firm believes a Chinese threat actor was responsible, and TrueConf fixed the vulnerability in version 8.5.3 of the client, released in March, with CISA subsequently adding CVE-2026-3502 to its KEV catalog and urging patching by 16 April.