CISA has added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry affects TrueConf Client and concerns the TrueConf Client Download of Code Without Integrity Check Vulnerability. This flaw allows an attacker who compromises the update delivery path to substitute a tampered payload, resulting in arbitrary code execution when the updater processes the malicious package.
The vulnerability stems from missing integrity verification during the software update process. An adversary positioned to influence the update delivery mechanism can intercept communications and replace legitimate update files with malicious versions. When the updater executes these tampered files, the attacker achieves arbitrary code execution with the privileges of the updating process or the logged-in user. Successful exploitation requires the attacker to control or compromise the update channel.
The flaw carries a CVSS score of 7.8 and is rated HIGH severity. TrueConf has released version 8.5 to address this weakness, and administrators should deploy this update without delay.
CISA has confirmed active exploitation of this vulnerability in the wild, which triggered its inclusion in the KEV catalogue. While no known ransomware campaigns currently leverage this flaw, threat actors may utilise it to establish initial access or maintain persistence within target networks. Federal agencies must complete remediation by 2026-04-16.
Federal Civilian Executive Branch (FCEB) agencies must apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. This directive carries binding force for FCEB entities. All organisations should review their environments for vulnerable TrueConf Client installations and apply available updates immediately.
Full technical details are available via the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-3502 and the CISA KEV catalogue.