CVE-2026-3502

HIGH KEV

TrueConf Client Update Integrity Verification Bypass

Title source: cna

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

Exploits (2)

nomisec SCANNER

by fevar54 · poc

https://github.com/fevar54/CVE-2026-3502-Scanner---TrueConf-Vulnerability-Detection-Tool

View Code ZIP pw:eip

nomisec SCANNER

by fevar54 · poc

https://github.com/fevar54/CVE-2026-3502---TrueConf-Client-Update-Hijacking-PoC

View Code ZIP pw:eip

References (3)

https://trueconf.com/blog/update/trueconf-8-5

[Various Sources] https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502

Scores

CVSS v3 7.8

EPSS 0.0242

EPSS Percentile 85.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Details

CISA KEV 2026-04-02

VulnCheck KEV 2026-03-31

ENISA EUVD EUVD-2026-17162

CWE

CWE-494

Status published

Products (2)

trueconf/trueconf < 8.5.3.884

TrueConf/TrueConf Client TrueConf Client versions 8.1.0 through 8.5.2

Published Mar 30, 2026

KEV Added Apr 02, 2026

Tracked Since Mar 31, 2026