TrueConf Client for Windows downloads and applies update payloads without verifying their integrity, allowing an attacker positioned on the update delivery path to substitute a tampered payload and achieve arbitrary code execution. CISA added the flaw to the Known Exploited Vulnerabilities catalog on 2026-04-02, confirming active exploitation in the wild.
What Is It
The TrueConf Client updater fetches application update code and installs it without performing verification of the payload (CWE-494: Download of Code Without Integrity Check). An attacker capable of influencing the update delivery path, for example, through an adjacent-network position, can substitute a malicious payload. When the updater executes or installs that payload, arbitrary code runs in the context of the updating process or user.
CVSS v3.1 base score is 7.8 (HIGH), vector AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L. Attack vector is adjacent network, user interaction is required, and scope is changed.
Why It Matters
CISA's KEV listing on 2026-04-02 confirms in-the-wild exploitation. Check Point Research has linked the bug to "Operation TrueChaos," a 0-day exploitation campaign against Southeast Asian government targets. Because the vulnerability lives in the update path, a successful intercept turns a routine update event into code execution on the endpoint; a high-value foothold for targeted intrusion sets and a difficult class of attack for end users to detect.
What's Vulnerable
- TrueConf Client for Windows, all versions prior to 8.5.3.884
- CPE:
cpe:2.3:a:trueconf:trueconf:*:*:*:*:*:windows:*:*(versionEndExcluding 8.5.3.884)
Patch Status
TrueConf has released a fixed build in the 8.5 line; upgrade to 8.5.3.884 or later via the vendor's Windows downloads page. CISA's required action (due 2026-04-16) is to apply vendor mitigations, follow BOD 22-01 guidance for cloud services where applicable, or discontinue use of the product if no mitigation is available. Known ransomware campaign use is listed as Unknown.