A zero-day vulnerability (CVE-2026-3502, CVSS 7.8 HIGH) in the TrueConf client allows attackers to compromise the application's trusted update mechanism to deliver malware, as observed in targeted attacks against government networks in Southeast Asia. The article does not specify affected or fixed versions.
Suspected China-nexus attackers have leveraged a zero-day vulnerability (CVE-2026-3502) in the TrueConf client application to distribute malware within government networks in Southeast Asia, Check Point researchers discovered. Malicious client update attack chain (Source: Check Point) Trusted update mechanism turned into attack vector TrueConf is a videoconferencing platform designed to run on private local networks (LANs) without internet access, which makes it attractive to government departments, defense institutions, and critical infrastructure operators. Consequently, the solution is … More → The post TrueConf zero-day vulnerability turns its own update process into malware delivery channel appeared first on Help Net Security .