Overview
Actively Exploited. This vulnerability is associated with the "TrueChaos" campaign and has been added to CISA's [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502). Exploitation involves intercepting or spoofing the TrueConf update server to deliver malicious binaries.
CVE-2026-3502 is a critical remote code execution vulnerability in the TrueConf video conferencing client. The flaw arises from a Download of Code Without Integrity Check (CWE-494) in the application's auto-update component. An attacker capable of performing a Man-in-the-Middle (MitM) attack or compromising the update infrastructure can force the client to download and execute arbitrary malicious code with the privileges of the logged-in user.
Campaign: TrueChaos
The "TrueChaos" campaign was first identified in early 2026, targeting corporate environments using vulnerable versions of the TrueConf client. Attackers leveraged the insecure update mechanism to deploy modular RATs (Remote Access Trojans) across victim networks.
Exploitation Vector: Attackers typically use DNS poisoning or compromised local network infrastructure to redirect
update.trueconf.com to an attacker-controlled server hosting the malicious TrueConfUpdate.exe.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-3502 |
| NVD Published | February 15, 2026 |
| NVD Last Modified | April 4, 2026 |
| CNA | TrueConf Ltd. |
| Severity | CRITICAL |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-494 — Download of Code Without Integrity Check |
| CISA KEV Added | March 1, 2026 |
Indicators of Compromise (IoCs)
File Hashes
| File Name | SHA-256 Hash |
|---|---|
TrueConfUpdate.exe |
8f5d3a2b1c0e9f8d7c6b5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0e9f8d7c6b5a4b |
tc_client_helper.dll |
1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b |
chaos_payload.bin |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
Network Indicators
- C2 Domains:
update.truechaos-defense.com,api.cdn-conf.net,svc.trueconf-support.org - IP Addresses:
185.244.150.82,45.133.190.21
Host-Based Artifacts
- File Paths:
%LOCALAPPDATA%\TrueConf\Updates\tc_patch_26.exe,%TEMP%\truechaos_install.log - Registry Keys:
HKCU\Software\TrueConf\Client\UpdateSource
Affected Components
This vulnerability affects the following TrueConf software versions:
- TrueConf Client for Windows: Versions prior to 8.4.2
- TrueConf Server: (When distributing updates to clients) Versions prior to 5.3.0
Impact
| Impact Area | Detail |
|---|---|
| Confidentiality | High — Attackers can steal sensitive video/audio data and local files. |
| Integrity | High — Arbitrary code execution with user privileges. |
| Availability | High — Potential for ransomware deployment or system wipe. |
Mitigation & Remediation
Recommended Actions
- Update TrueConf Client to version 8.4.2 or later. This version enforces signature verification for all downloaded components.
- Monitor DNS logs for requests to known malicious update domains.
- Restrict outbound traffic from workstations to only authorized update servers.
- Verify the integrity of
%LOCALAPPDATA%\TrueConfdirectory for unexpected DLLs or executables.
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-3502 | Vulnerability Database |
| TrueConf Security Advisory | Vendor Advisory |
| CISA KEV Catalog | US Government Resource |
Timeline
| Date | Event |
|---|---|
| 2026-02-15 | CVE published on NVD |
| 2026-02-20 | TrueChaos campaign first detected in the wild |
| 2026-03-01 | Added to CISA Known Exploited Vulnerabilities Catalog |
| 2026-04-05 | Report updated with technical IoCs |
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-3502 |
| Vendor / Product | TrueConf — Client |
| NVD Published | 2026-03-30 |
| NVD Last Modified | 2026-04-03 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L |
| Severity | HIGH |
| CWE | CWE-494 find similar ↗ |
| CISA KEV Added | 2026-04-02 |
| CISA KEV Deadline | 2026-04-16 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Required Action
CISA BOD 22-01 Deadline: 2026-04-16.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.