Changeflow GovPing Data Privacy & Cybersecurity TrueConf Client Vulnerability - Arbitrary Code ...
Urgent Notice Added Final

TrueConf Client Vulnerability - Arbitrary Code Execution via Updates

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published April 3rd, 2026
Detected April 3rd, 2026
Email

Summary

CISA added CVE-2026-3502 to the Known Exploited Vulnerabilities catalog. The vulnerability allows remote attackers to execute arbitrary code via unverified software updates in TrueConf Client versions 8.1.0 through 8.5.2. The flaw has a CVSS score of 7.8 (HIGH) and is classified as actively exploited with total technical impact.

View original document View source feed page

What changed

CISA has cataloged CVE-2026-3502, a vulnerability in TrueConf Client software versions 8.1.0-8.5.2 where the application's update mechanism downloads code without performing integrity verification. An attacker who controls the update delivery path can substitute a malicious payload, achieving arbitrary code execution. The vulnerability is confirmed actively exploited in the wild (SSVC: active/no/total) with a CVSS 3.1 score of 7.8.

Organizations running TrueConf Client versions 8.1.0-8.5.2 must update to version 8.5.3 or later immediately. Federal civilian agencies are subject to BOD 22-01 requiring remediation of KEVs. As a best practice, organizations should disable automatic updates until patching is confirmed and audit update delivery mechanisms for signs of compromise.

What to do next

  1. Update TrueConf Client to version 8.5.3 or later immediately
  2. Disable automatic updates until patching is complete if unable to update immediately
  3. Audit update delivery mechanisms and systems for indicators of compromise

Source document (simplified)

Required CVE Record Information

CNA: Check Point Software Technologies Ltd.

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CWE 1 Total

Learn more
- CWE-494: CWE-494: Download of Code Without Integrity Check.

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.8 | HIGH | 3.1 | CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L |

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected at TrueConf Client versions 8.1.0 through 8.5.2

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-04-03

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-03-31 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502 (2026-04-02)

Named provisions

KEV Catalog Entry SSVC Assessment Product Status

Related changes

Favicon for www.cisa.gov Chrome Dawn Use-After-Free Remote Code Execution Vulnerability
Urgent Apr 02, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Citrix NetScaler CVE-2026-3055 Critical Memory Overread Vulnerability
Urgent Mar 31, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Trivy Supply Chain Attack - Credential Theft
Urgent Mar 27, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cssf.lu Active Supply Chain Attack Targeting Axios NPM
Urgent Apr 04, 2026 CSSF News Banking & Finance
Favicon for www.cert.ssi.gouv.fr SUSE Linux Kernel Multiple Vulnerabilities Advisory
Priority review Apr 03, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Multiple Ubuntu Linux Kernel Vulnerabilities Allow Arbitrary Code Execution
Priority review Apr 03, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
April 3rd, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2026-3502

Who this affects

Applies to
Technology companies Government agencies Healthcare providers
Industry sector
5112 Software & Technology
Activity scope
Software Vulnerability Management Update Mechanism Security
Threshold
TrueConf Client versions 8.1.0 through 8.5.2
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software Security

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer Protection 44 Courts & Legal 358 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Government & Legislation 277 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Pharma & Drug Safety 103 Securities & Markets 104 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.