CVE-2026-3502
CISA KEVZero-day vulnerability in TrueConf Windows client (versions prior to 8.5.3.884) where the application downloads and applies update code without performing integrity or authenticity verification (CWE-494). Exploited in Operation TrueChaos by a Chinese-nexus threat actor targeting Southeast Asian government entities. The attacker compromised an on-premises TrueConf server and replaced the legitimate client update package with a trojanized Inno Setup installer that deployed a multi-stage attack chain including DLL side-loading via poweriso.exe, UAC bypass via iscsicpl.exe, and Havoc C2 implant communicating to Alibaba and Tencent Cloud infrastructure. TrueConf serves approximately 100,000 organizations globally across government, military, critical infrastructure, banking, and enterprise sectors. CISA added this CVE to the KEV catalog on April 2, 2026 with a federal remediation deadline of April 16, 2026. Patched in TrueConf Windows client version 8.5.3.
CVSS v3 vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Weaknesses (CWE)
CWE-494
Threats tracking this CVE
- Operation TrueChaos: CVE-2026-3502 TrueConf 0-Day Supply Chain Exploitation Targeting Southeast Asian Governments — HIGH
- Operation TrueChaos: TrueConf Client 0-Day Exploitation via Supply Chain Update Hijack (CVE-2026-3502) — CRITICAL
References
- https://trueconf.com/blog/update/trueconf-8-5
- https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502