Key Findings

• CISA added CVE-2026-3502, a flaw in TrueConf Client, to its Known Exploited Vulnerabilities catalog on April 2, 2026

• The vulnerability has a CVSS score of 7.8 and allows attackers to download and install malicious updates without integrity verification

• Threat actors are actively exploiting this flaw by compromising TrueConf servers and replacing legitimate update files with malicious payloads

• Check Point researchers attributed a wave of attacks called Operation TrueChaos to a China-aligned threat actor with moderate confidence

• Federal agencies must remediate the vulnerability by April 16, 2026 under Binding Operational Directive 22-01

• The attack delivered the Havoc framework, enabling attackers to achieve persistent control and surveillance

Background

TrueConf is a videoconferencing platform commonly deployed in secure, offline networks by government agencies and critical infrastructure sectors. Because of its use in sensitive environments, the platform has become an attractive target for sophisticated threat actors seeking access to government networks. The addition of CVE-2026-3502 to CISA's KEV catalog reflects confirmed, active exploitation in real-world attacks rather than theoretical vulnerability risk.

The Vulnerability Details

CVE-2026-3502 is classified under CWE-494 "Download of Code Without Integrity Check." The flaw exists in TrueConf Client's software update mechanism, which fails to verify the authenticity or integrity of downloaded update files before executing them. In a properly secured update workflow, cryptographic integrity checks function as a digital seal, ensuring only vendor-signed files are installed. This vulnerability breaks that assurance entirely.

An attacker positioned on the network or one who has compromised the update delivery infrastructure can intercept update requests and substitute legitimate packages with malicious payloads. Because TrueConf Client does not validate file integrity, it proceeds to install and execute the tampered update automatically, resulting in arbitrary code execution with user or system process privileges.

Active Exploitation Campaign

Researchers at Check Point documented a coordinated attack wave they tracked as Operation TrueChaos. Threat actors compromised TrueConf servers operated by a governmental IT department that served as the videoconferencing platform for dozens of government entities across the country. Before victims initiated the update process, attackers had already replaced the update packages on the on-premises server with weaponized versions.

When TrueConf clients launched, likely triggered by attacker-sent links, users saw an update prompt claiming a newer version was available. The client then retrieved the malicious file through the normal update process, completely bypassing security checks. All government entities supplied by that server received the same malicious update.

The compromised updates delivered the Havoc framework, a remote access tool that enables attackers to execute commands, conduct surveillance, and maintain persistence on infected systems. The same victim was also hit by ShadowPad, suggesting either shared tools and access or multiple Chinese-linked actors targeting the organization simultaneously.

Attribution and Tactics

Check Point linked Operation TrueChaos to a China-aligned threat actor with moderate confidence, citing several indicators. The attackers used DLL sideloading techniques, leveraged Alibaba and Tencent infrastructure for command and control, and targeted government entities in a manner consistent with state-sponsored activity. The sophisticated nature of the attack, including server compromise and update package manipulation, demonstrates advanced operational capability.

Federal Requirements and Remediation

Under Binding Operational Directive 22-01, all U.S. federal civilian executive branch agencies must remediate CVE-2026-3502 by April 16, 2026. Security teams should immediately audit all TrueConf Client deployments across their environments, confirm patch applicability, and deploy available updates. Organizations should also monitor network traffic for anomalous update-related activity as an additional defensive measure while remediation is underway.

CISA recommends that private organizations review the KEV catalog and address identified vulnerabilities in their infrastructure, even though the federal remediation deadline applies only to federal agencies. Software update mechanisms are particularly dangerous attack surfaces because they are inherently trusted by operating systems and often run with elevated privileges, making them high-value targets for threat actors seeking persistent access.

Sources

• https://securityaffairs.com/190341/security/u-s-cisa-adds-a-flaw-in-trueconf-client-to-its-known-exploited-vulnerabilities-catalog.html

• https://cyberpress.org/cisa-adds-trueconf-flaw/

• https://www.facebook.com/groups/2600net/posts/4517844928438597/

• https://gbhackers.com/cisa-includes-trueconf-security-flaw-in-kev-catalog/amp/