CVE-2026-3502

7.8 HIGH CISA KEV - Actively Exploited
Published: March 30, 2026 Modified: April 03, 2026
View on NVD

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://trueconf.com/blog/update/trueconf-8-5
Source: cve@checkpoint.com
Product Release Notes
https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.8 / 10.0
EPSS (Exploit Probability)
1.5%
81th percentile
Exploitation Status
Actively Exploited
Remediation due: 2026-04-16

Weaknesses (CWE)

CWE-494

Affected Vendors

trueconf

Related CVEs

CVE-2026-4109 4.3
CVE-2026-33929 N/A
CVE-2026-33892 7.1
CVE-2026-31924 N/A
CVE-2026-31923 N/A