"The exploited bug, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because the application does not properly verify updates before applying them. This results in the execution of malicious code if an attacker could tamper with the update code."
"TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it."
"The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update."
A zero-day vulnerability in TrueConf video conferencing software, tracked as CVE-2026-3502, has been exploited by Chinese hackers against government entities in Asia. The vulnerability arises from the software's failure to verify updates properly, enabling malicious code execution. TrueConf is typically used by government and military organizations for secure communication. The attack, named TrueChaos, involved compromising the on-premises TrueConf server, replacing the update package with a malicious version, and prompting users to download it, affecting multiple government entities.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]