🟠HIGH
Severity Overview
- CVSS Base Score: 7.8
- Severity: HIGH
- CVSS Version: 3.1
- Priority: Elevated priority
Summary
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Analyst Takeaway
This vulnerability is already in CISA KEV, which means exploitation has been observed in the wild and the issue should be treated as active risk rather than theoretical exposure. In parallel with patching, defenders should review external exposure, hunt for signs of exploitation, and validate whether compensating controls are in place for vulnerable assets.
MITRE ATT&CK Mapping
No confident deterministic ATT&CK technique mapping was derived from the available vulnerability context.
Detection Guidance
No specific detection guidance could be derived from the available context. Organizations should rely on vendor advisories and general vulnerability scanning.
Key Details
- CVE: CVE-2026-3502
- Vendor: TrueConf
- Product: Client
- CWE: CWE-494
- Date Added to CISA KEV: 2026-04-02
- CISA Due Date: 2026-04-16
- Known Ransomware Campaign Use: Unknown
Technical Severity Details
- CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Why This Matters
This vulnerability is included in CISA’s Known Exploited Vulnerabilities catalog, which means exploitation has been observed in the wild. Based on the available NVD scoring, this issue should be treated as elevated priority.
Recommended Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://trueconf.com/blog/update/trueconf-8-5 ; https://trueconf.com/downloads/windows.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3502