Severity by source
AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
5DescriptionCVE.org
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Articles & Coverage 2
AnalysisAI
Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk.
Technical ContextAI
This vulnerability exploits a fundamental weakness in software update integrity validation, classified as CWE-494 (Download of Code Without Integrity Check). TrueConf Client's update mechanism retrieves application code over a network channel but fails to cryptographically verify the payload's authenticity or integrity before installation. Modern secure update systems employ code signing with asymmetric cryptography, where the client validates updates against a vendor's public key certificate. The absence of this verification creates a trust boundary violation: any entity capable of intercepting or influencing the update delivery path-such as a malicious actor with adjacent network access or compromised infrastructure-can substitute arbitrary executables. The affected product, identified by CPE cpe:2.3:a:trueconf:trueconf_client:*:*:*:*:*:*:*:*, is a video conferencing and collaboration platform client application. The CVSS vector indicates attacks originate from adjacent networks (AV:A), meaning the attacker must be positioned on the same local network segment or VLAN as the victim, rather than exploiting the vulnerability remotely over the internet.
RemediationAI
Organizations should immediately upgrade TrueConf Client to version 8.5 or later, which vendor release notes at https://trueconf.com/blog/update/trueconf-8-5 indicate includes security improvements addressing update integrity verification. Until patching is complete, implement network-level compensating controls: restrict TrueConf update traffic to vendor-controlled domains using application-layer firewalls or DNS filtering, deploy network segmentation to prevent unauthorized adjacent network access, and monitor update channels for anomalous behavior using intrusion detection systems. For high-security environments, consider disabling automatic updates and deploying new versions through controlled enterprise software distribution systems that perform independent integrity verification. Validate post-deployment that the updated client properly verifies code signatures by reviewing application logs or testing with network traffic analysis tools.
Same weakness CWE-494 – Download of Code Without Integrity Check
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17162