TrueConf Client
CVE-2025-66835
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Local DLL-plant requires an existing low-priv user (AV:L, PR:L); loads on normal client startup (UI:N); code runs at user context yielding high C/I but no availability impact and no scope change.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context.
AnalysisAI
Local code execution in TrueConf Client 8.5.2 lets an already-authenticated local user run arbitrary code in the context of the victim user by planting a malicious wfapi.dll that the application loads insecurely (CWE-427). Publicly available exploit code exists, but there is no public exploit identified in the sense of active exploitation - it is not listed in CISA KEV and EPSS is low (0.17%, 6th percentile), indicating little observed real-world exploitation activity. The impact is confined to the current user's context (no privilege escalation to SYSTEM claimed).
Technical ContextAI
TrueConf Client is a Windows desktop endpoint for the TrueConf video-conferencing/UC platform. The flaw is a classic DLL search-order/uncontrolled-search-path hijacking issue (CWE-427, Uncontrolled Search Path Element): the application resolves and loads wfapi.dll without pinning a fully-qualified trusted path, so Windows' default loader search order can be abused to load an attacker-supplied DLL from a writable directory that precedes the legitimate one. wfapi.dll appears to be a dependency the client expects at load time; because the load is unqualified, any directory the attacker controls in the search path (e.g., the application's own install/working directory or the current working directory) becomes a code-injection vector. The single affected build is identified by CPE cpe:2.3:a:trueconf:trueconf:8.5.2, i.e. version 8.5.2 specifically.
RemediationAI
No vendor-released patch or fixed version is identified in the available data, so an exact upgrade target cannot be cited - check TrueConf's official advisories for a build newer than 8.5.2 before deploying. As specific compensating controls: ensure the TrueConf installation directory and any directory the client uses as its working/current directory are not writable by non-administrative users (tighten NTFS ACLs so standard users cannot drop wfapi.dll there), which removes the attacker's DLL-plant location at the cost of stricter directory management; verify that a legitimate signed wfapi.dll is present in the trusted application directory so the loader resolves it before any planted copy; and apply application-allowlisting (e.g., WDAC/AppLocker DLL rules) to block unsigned or unexpected DLLs from loading, accepting the operational overhead of maintaining allowlist rules. Monitor endpoints for creation of wfapi.dll in unexpected paths. The only external reference available is the third-party PoC at https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66835/README.md.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today