Skip to content

KEV: TrueConf Client download of code without integrity check (CVE-2026-3502)

Signal: Added to CISA KEV on 2026-04-02 (due 2026-04-16). TrueConf Client is being tracked as exploited in the wild.

What it is

TrueConf Client contains a download-of-code-without-integrity-check flaw. Treat this as a high-priority endpoint/software-supply-chain issue: if a client can fetch and execute code without validating integrity, remote code execution or payload substitution may follow.

References: - CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3502

Triage

  1. Inventory where TrueConf Client is installed:
  2. employee workstations
  3. shared kiosks / conference-room endpoints
  4. support or executive devices
  5. Determine whether the client is managed centrally or updated ad hoc.
  6. Check whether the client is allowed to fetch content from the internet or internal update mirrors.
  7. Identify any adjacent systems that trust TrueConf sessions, files, or integrations.

Mitigation

  • Upgrade or remove the client immediately using vendor guidance.
  • If you cannot patch quickly, isolate affected hosts from untrusted networks until remediation is complete.
  • Review update channels, mirrors, and deployment tooling for tampering risk.
  • Revoke or rotate any credentials, tokens, or secrets exposed on hosts running the client if compromise is suspected.

Hunt / detection

  • Review endpoint telemetry for:
  • unexpected child processes from the client
  • new downloads shortly before suspicious execution
  • unusual network calls to update or content-hosting domains
  • file writes in temp, cache, or user profile locations
  • Correlate with EDR for:
  • unsigned or recently dropped binaries
  • suspicious script interpreters
  • abnormal persistence created around client launch times

Recovery notes

If exploitation is suspected: - disconnect the host and preserve evidence - collect process, network, and file telemetry before cleanup - verify the integrity of any downloaded payloads or update artifacts - reimage or restore the endpoint if you cannot prove it remained trustworthy - validate that other devices using the same update path were not exposed