TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

# TrueConf Zero-Day Used in TrueChaos Campaign Against Southeast Asian Governments

## The Threat

A critical vulnerability in TrueConf's video conferencing software has been actively exploited in targeted attacks against government networks throughout Southeast Asia in a campaign researchers are tracking as TrueChaos. The flaw, tracked as CVE-2026-3502, stems from inadequate integrity verification during the application's update process, allowing threat actors to inject malicious code directly into legitimate software updates.

The attack chain is particularly insidious: when TrueConf clients check for updates, the application fails to properly validate the cryptographic signature or integrity of downloaded update packages. An attacker positioned to intercept network traffic—or one who has compromised update distribution infrastructure—can inject malware into the update stream. Victims receive what appears to be a legitimate software update and execute it with the same privileges as the TrueConf application itself, potentially granting attackers high-level access to enterprise systems.

This represents a worst-case scenario for software supply chain security. Rather than compromising the vendor's infrastructure directly, threat actors are abusing a fundamental flaw in how the client validates updates. For government agencies already using TrueConf for secure communications, the implications are severe: an attacker could establish persistent backdoor access, exfiltrate classified communications, or pivot deeper into critical infrastructure networks.

## Severity and Impact

| Attribute | Details |

|---|---|

| CVE ID | CVE-2026-3502 |

| CVSS Score | 7.8 (High) |

| CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |

| Attack Vector | Local |

| Attack Complexity | Low |

| Authentication Required | None |

| User Interaction | Required |

| CWE | CWE-347 (Improper Verification of Cryptographic Signature) |

| Exploited in Wild | Yes (TrueChaos campaign) |

The CVSS 7.8 rating reflects the vulnerability's practical exploitability and severe impact. While the attack vector is technically "local" (requiring presence on the network or ability to intercept updates), the low attack complexity and absence of authentication requirements make this highly dangerous in enterprise environments where TrueConf may be used on shared networks or where network traffic inspection tools are limited.

## Affected Products

The following TrueConf products and versions are affected by CVE-2026-3502:

- Versions 8.0 through 8.3.x before patched releases

- Version 9.0 before 9.0.1

- Version 9.1 before 9.1.2

- Versions 7.2 through 8.2.x (update delivery component vulnerable)

- All versions through 7.5

- Browser-based versions affected if connecting to vulnerable server infrastructure

Organizations should verify their installed versions immediately, as the TrueChaos campaign specifically targets government entities that may have deployed older, less-maintained instances of TrueConf.

## Mitigations

Immediate Actions:

1. Patch Immediately — Apply vendor updates as soon as they become available. TrueConf has released patched versions that implement cryptographic signature verification on all update packages. Check the vendor advisory for specific version numbers and deployment guidance.

2. Network Segmentation — Restrict TrueConf client and server access to designated network segments. Limit the systems that can reach TrueConf update servers, and implement network access controls to prevent lateral movement if a client is compromised.

3. Update Traffic Inspection — Monitor and validate TrueConf update downloads at the network boundary:

- Use proxy/firewall rules to inspect TrueConf update traffic

- Validate update package hashes against TrueConf's published cryptographic checksums

- Block updates from non-official sources

4. Application Hardening:

- Disable automatic updates temporarily if patching cannot be completed immediately, and manually verify updates before installation

- Run TrueConf clients with minimal required privileges (avoid running as administrator where possible)

- Disable features not in use (screen sharing, file transfer, recording) to reduce attack surface

5. Threat Detection — Deploy endpoint detection and response (EDR) tools to monitor TrueConf process behavior:

- Alert on unexpected child processes spawned by TrueConf

- Monitor for unusual network connections initiated by the application

- Flag suspicious file writes or registry modifications

6. Network Monitoring — Implement network detection tools to identify:

- Attempts to intercept TrueConf update traffic

- Suspicious TLS certificate validation failures for update servers

- Unusual outbound connections from TrueConf processes

Long-Term Remediation:

## References

---

Key Takeaway: This vulnerability demonstrates why update mechanisms themselves must be hardened and cryptographically validated. Government and enterprise organizations using TrueConf should treat this as a critical-priority patch, not a routine maintenance task. The active exploitation in the wild means attackers are actively hunting for unpatched instances. Delay increases risk of compromise.