Skip to main content

Trueconf Client CVE-2026-3502

| EUVDEUVD-2026-17162 HIGH
Download of Code Without Integrity Check (CWE-494)
2026-03-30 checkpoint
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

5
Added to CISA KEV
Apr 03, 2026 - 11:40 cisa
CISA KEV
PoC Detected
Apr 03, 2026 - 11:40 vuln.today
Public exploit code
EUVD ID Assigned
Mar 30, 2026 - 18:45 euvd
EUVD-2026-17162
Analysis Generated
Mar 30, 2026 - 18:45 vuln.today
CVE Published
Mar 30, 2026 - 18:05 nvd
HIGH 7.8

DescriptionCVE.org

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

AnalysisAI

Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk.

Technical ContextAI

This vulnerability exploits a fundamental weakness in software update integrity validation, classified as CWE-494 (Download of Code Without Integrity Check). TrueConf Client's update mechanism retrieves application code over a network channel but fails to cryptographically verify the payload's authenticity or integrity before installation. Modern secure update systems employ code signing with asymmetric cryptography, where the client validates updates against a vendor's public key certificate. The absence of this verification creates a trust boundary violation: any entity capable of intercepting or influencing the update delivery path-such as a malicious actor with adjacent network access or compromised infrastructure-can substitute arbitrary executables. The affected product, identified by CPE cpe:2.3:a:trueconf:trueconf_client:*:*:*:*:*:*:*:*, is a video conferencing and collaboration platform client application. The CVSS vector indicates attacks originate from adjacent networks (AV:A), meaning the attacker must be positioned on the same local network segment or VLAN as the victim, rather than exploiting the vulnerability remotely over the internet.

RemediationAI

Organizations should immediately upgrade TrueConf Client to version 8.5 or later, which vendor release notes at https://trueconf.com/blog/update/trueconf-8-5 indicate includes security improvements addressing update integrity verification. Until patching is complete, implement network-level compensating controls: restrict TrueConf update traffic to vendor-controlled domains using application-layer firewalls or DNS filtering, deploy network segmentation to prevent unauthorized adjacent network access, and monitor update channels for anomalous behavior using intrusion detection systems. For high-security environments, consider disabling automatic updates and deploying new versions through controlled enterprise software distribution systems that perform independent integrity verification. Validate post-deployment that the updated client properly verifies code signatures by reviewing application logs or testing with network traffic analysis tools.

Share

CVE-2026-3502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy