CISA adds actively exploited TrueConf flaw to KEV and gives agencies until April 16 to patch

CISA has added CVE-2026-3502, a TrueConf Client vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency says federal civilian agencies must apply mitigations by April 16, 2026, or stop using the product if fixes are unavailable.

The flaw affects the TrueConf Client update process. NVD describes it as a download-of-code-without-integrity-check issue, which means the client can fetch and apply update code without properly verifying it first.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

In plain terms, an attacker who can influence the update path may be able to replace a legitimate update with a malicious file. If the updater runs that file, the attacker may gain arbitrary code execution in the context of the updating process or user.

What CISA and researchers are saying

CISA’s KEV entry lists the issue as “TrueConf Client Download of Code Without Integrity Check Vulnerability,” with a date added of April 2, 2026, and a due date of April 16, 2026. The required action is clear: apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are not available.

NVD shows the CVE came from Check Point Software Technologies and carries a CNA CVSS 3.1 base score of 7.8 High. The weakness maps to CWE-494, which covers cases where software downloads code without integrity checks.

Check Point says the flaw was exploited in the wild during attacks against Southeast Asian government targets. According to its research, attackers abused the trusted relationship between an on-premises TrueConf server and connected clients, turning the normal update flow into a delivery channel for malicious code.

Who is affected and what version fixes it

NVD’s affected software entry says vulnerable TrueConf Windows versions run up to, but exclude, version 8.5.3.884. That means organizations should treat builds older than 8.5.3.884 as exposed unless the vendor states otherwise.

TrueConf has already published the 8.5.3 desktop update, and NVD links TrueConf’s release material as the product reference for this CVE. Independent reporting also says the flaw was patched starting with version 8.5.3.

Private companies are not legally bound by BOD 22-01 in the same way as federal civilian agencies, but the risk does not stop at government networks. If an attacker can tamper with the update path, the bug can become an efficient way to push malware across multiple client systems.

TrueConf CVE-2026-3502 at a glance

What security teams should do now

• Update TrueConf Client to a fixed version immediately.
• Review any internal TrueConf update infrastructure and confirm no one can tamper with the delivery path.
• Hunt for signs of malicious updates, unexpected payloads, or post-exploitation frameworks on systems that ran older builds. Check Point says attackers used the flaw to deploy additional malicious tooling.
• Follow CISA’s required action if you are an FCEB agency, including discontinuing product use if mitigations are unavailable.

FAQ