Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Published: 2026-03-30
Score: 7.8 High
EPSS: 5.8% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

In the TrueConf Client, the update mechanism does not verify the integrity of downloaded code before installation. An attacker who can direct the client to an alternative update server can supply a malicious payload. When the updater applies this payload, arbitrary code executes with the privileges of the updater or the current user, enabling full compromise of the affected machine.

Affected Systems

The vulnerability affects the TrueConf Client application. The CVE description does not specify a build or version that is affected. Based on the references provided, it is inferred that all versions prior to the 8.5 update are vulnerable. Therefore, users running any installation of TrueConf Client older than 8.5 should consider the software at risk.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity level. The EPSS probability of 6 % indicates a moderate likelihood of exploitation, suggesting that attackers may find this vulnerability more viable than previously thought. The entry is marked in CISA’s KEV catalog, confirming that it has been targeted in the wild. Given the nature of the update path, the most likely attack vector is remote delivery of a forged update, requiring the victim to have the TrueConf Client running and fetching updates.

Generated by OpenCVE AI on June 18, 2026 at 09:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TrueConf Client update (version 8.5 or later) that restores update integrity checks.
  • If an update is not yet available, disable automatic update downloads or enforce a trusted update server until the patch is applied.
  • Monitor the system for anomalous code execution or unexpected changes to the client executable.

Generated by OpenCVE AI on June 18, 2026 at 09:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:trueconf:trueconf:*:*:*:*:*:windows:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Trueconf
Trueconf trueconf
Vendors & Products Trueconf
Trueconf trueconf

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 kev

{'dateAdded': '2026-04-02T00:00:00+00:00', 'dueDate': '2026-04-16T00:00:00+00:00'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
References

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Title TrueConf Client Update Integrity Verification Bypass
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Trueconf Trueconf
cve-icon MITRE

Status: PUBLISHED

Assigner: checkpoint

Published:

Updated: 2026-04-03T03:55:23.638Z

Reserved: 2026-03-03T21:18:35.221Z

Link: CVE-2026-3502

cve-icon Vulnrichment

Updated: 2026-03-31T14:28:12.261Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T19:16:27.053

Modified: 2026-06-17T10:43:41.010

Link: CVE-2026-3502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:45:15Z

Weaknesses
  • CWE-494

    Download of Code Without Integrity Check