CVE-2026-3502 - [KEV] - CVSS 7.8

Overview

CVE-2026-3502 is a download of code without integrity check vulnerability (CWE-494) affecting the TrueConf Client. The application's update mechanism fails to validate the authenticity or integrity of update payloads before execution. An attacker positioned to influence the update delivery path—through network interception, DNS manipulation, compromise of update infrastructure, or related path-substitution techniques—can deliver a tampered payload that the updater will execute, resulting in arbitrary code execution in the context of the updater process or the current user.

The vulnerability carries a CVSS score of 7.8 and an EPSS of 0.015. Despite the relatively low EPSS, CISA added CVE-2026-3502 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-02, confirming active in-the-wild exploitation.

Affected Products

• TrueConf Client (TrueConf videoconferencing endpoint software)

Organizations should consult the vendor advisory for the exact version range affected and the fixed release.

Exploitation Evidence

• CISA KEV listing: CVE-2026-3502 was added to the KEV catalog on 2026-04-02, indicating verified active exploitation.
• Exploitation requires an attacker-controlled position over the update channel. Realistic preconditions include adversary-in-the-middle (AitM) on the client's network egress, rogue Wi-Fi or captive portals, ISP-level interference, compromise of an update mirror/CDN, or local hosts-file/proxy tampering on the endpoint.
• Successful exploitation yields code execution as the user running TrueConf Client; in some deployments the updater may run with elevated privileges, broadening impact.

ATT&CK Mapping

No formal ATT&CK mappings are present in the database. Based on the vulnerability class, the following techniques are plausible during an exploitation chain:

• T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain (tampered update payload delivery)
• T1557 – Adversary-in-the-Middle (interception of update traffic)
• T1059 – Command and Scripting Interpreter / T1204.002 – User Execution: Malicious File (post-payload execution)
• T1543 – Create or Modify System Process (persistence if the updater installs services)

Threat Actor Context

No public threat actor attribution is currently available in the database for CVE-2026-3502. KEV listing implies confirmed exploitation by at least one threat actor, but specific group attribution has not been disclosed. Update-channel substitution attacks are historically associated with both nation-state operators (for targeted implants) and opportunistic AitM operators on hostile networks.

Recommended Actions

• Patch immediately: Upgrade TrueConf Client to the vendor-provided fixed version that enforces signature/integrity validation on update payloads. Federal civilian agencies must comply with the BOD 22-01 KEV remediation deadline.
• Restrict update traffic: Where patching is delayed, block or proxy TrueConf updater traffic through inspected, TLS-pinned egress paths and prevent the client from reaching arbitrary hosts.
• Inventory and isolate: Identify all endpoints with TrueConf Client installed; prioritize remediation on systems used on untrusted networks (remote workers, conference rooms, BYOD).
• Run with least privilege: Ensure TrueConf Client and its updater do not run as Administrator/SYSTEM where avoidable, limiting the blast radius of code execution.
• Detection: Hunt for anomalous child processes spawned by the TrueConf updater binary, unexpected file writes into the TrueConf install directory, and outbound update requests to non-vendor domains/IPs. Review EDR telemetry for the period preceding 2026-04-02 and forward.
• Network hardening: Enforce DNS filtering, certificate pinning where supported, and block known rogue captive-portal/AitM infrastructure on corporate VPN egress.
• Incident response: On systems where unauthorized update activity is suspected, treat as potentially compromised—collect forensic images, rotate credentials, and validate endpoint integrity before returning to service.