Home

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-30 | Updated 2026-04-03 | Assigner checkpoint




HIGH: 7.8CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

CISA Known Exploited Vulnerability

Date added 2026-04-02 | Due date 2026-04-16

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-494: Download of Code Without Integrity Check.

Product status

TrueConf Client versions 8.1.0 through 8.5.2
affected

References

research.checkpoint.com/...utheast-asian-government-targets/ third-party-advisory

www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2026-3502 government-resource

trueconf.com/blog/update/trueconf-8-5

cve.org (CVE-2026-3502)

nvd.nist.gov (CVE-2026-3502)

Download JSON