High severity7.8CISA KEVNVD Advisory· Published Mar 30, 2026· Updated Apr 3, 2026

CVE-2026-3502

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

Affected products

Trueconf/Trueconf
cpe:2.3:a:trueconf:trueconf:*:*:*:*:*:windows:*:*
Range: <8.5.3.884

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/nvdThird Party Advisory
trueconf.com/blog/update/trueconf-8-5nvdProductRelease Notes
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource

News mentions

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks
The Hacker News · Apr 27, 2026
Risky Business #832 -- Anthropic unveils magical 0day computer God
Risky Business · Apr 8, 2026
6th April – Threat Intelligence Report
Check Point Research · Apr 6, 2026
Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
Check Point Research · Mar 31, 2026

cvss	0.507
epss	0.002
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000