CVE-2026-3502

HIGHCISA KEV

7.8

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

Details CVE

Score CVSS v3.17.8

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Vecteur d'attaqueADJACENT_NETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurREQUIRED

Publie3/30/2026

Derniere modification4/3/2026

Sourcenvd

Observations honeypot0

CISA KEV

FournisseurTrueConf

ProduitClient

Nom vulnerabiliteTrueConf Client Download of Code Without Integrity Check Vulnerability

Date ajout KEV2026-04-02

Date limite remediation2026-04-16

Utilise dans ransomwareUnknown

Produits affectes

trueconf:trueconf

Faiblesses (CWE)

CWE-494

References

https://trueconf.com/blog/update/trueconf-8-5(cve@checkpoint.com)

https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.