Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Published: 2026-03-30
Score: 7.8 High
EPSS: 1.7% Low
KEV: Yes
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In the TrueConf Client, the update mechanism does not verify the integrity of downloaded code before installation. An attacker who can direct the client to an alternative update server can supply a malicious payload. When the updater applies this payload, arbitrary code executes with the privileges of the updater or the current user, enabling full compromise of the affected machine.

Affected Systems

The vulnerability affects the TrueConf Client application. The CVE does not specify which build or version exhibits the flaw; however the references indicate that versions prior to the 8.5 update are vulnerable. Users running an affected instance should therefore treat all installations of TrueConf Client before the 8.5 release as at risk.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity level. The EPSS probability under 1 % suggests that while the flaw is serious, active exploitation remains rare. The entry is marked in CISA’s KEV catalog, confirming that it has been targeted in the wild. Given the nature of the update path, the most likely attack vector is remote delivery of a forged update, requiring the victim to have the TrueConf Client running and fetching updates.

Generated by OpenCVE AI on April 3, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TrueConf Client update (version 8.5 or later) that restores update integrity checks.
  • If an update is not yet available, disable automatic update downloads or enforce a trusted update server until the patch is applied.
  • Monitor the system for anomalous code execution or unexpected changes to the client executable.

Generated by OpenCVE AI on April 3, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:trueconf:trueconf:*:*:*:*:*:windows:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Trueconf
Trueconf trueconf
Vendors & Products Trueconf
Trueconf trueconf

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 kev

{'dateAdded': '2026-04-02T00:00:00+00:00', 'dueDate': '2026-04-16T00:00:00+00:00'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
References

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Title TrueConf Client Update Integrity Verification Bypass
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Trueconf Trueconf
cve-icon MITRE

Status: PUBLISHED

Assigner: checkpoint

Published:

Updated: 2026-04-03T03:55:23.638Z

Reserved: 2026-03-03T21:18:35.221Z

Link: CVE-2026-3502

cve-icon Vulnrichment

Updated: 2026-03-31T14:28:12.261Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T19:16:27.053

Modified: 2026-04-03T11:40:57.390

Link: CVE-2026-3502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:52Z

Weaknesses