Vulnerability intelligence
CVE-2026-3502
TrueConf Client Download of Code Without Integrity Check Vulnerability
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
CVSS Score
7.8
High
EPSS — Exploit Probability
5.8%
Riskier than 92% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2026-04-16
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-04-16.
6 articles across 6 outlets · first covered Mar 31, 2026 · latest Apr 4, 2026
Tracked incidents
Coverage timeline
-
CISA orders patch for TrueConf CVE-2026-3502 by Aprilsecurityaffairs.com · Apr 4, 2026
-
Chinese Actors Exploit TrueConf Zero Day Flaw in Govt Attackswww.securityweek.com · Apr 3, 2026
-
CISA Adds CVE-2026-3502 to Known Exploited Vulnerabilities Cataloguewww.cisa.gov · Apr 2, 2026
-
CISA Adds CVE-2026-3502 to Known Exploited Vulnerabilities Cataloguecisa.gov · Apr 2, 2026
-
TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networksthehackernews.com · Mar 31, 2026
-
Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targetsresearch.checkpoint.com · Mar 31, 2026