Chinese cyber actors have recently utilized a zero-day vulnerability in TrueConf’s video conferencing software to target government bodies in Asia, as disclosed by Check Point researchers.
Vulnerability Details and Attack Mechanism
The exploited vulnerability, cataloged as CVE-2026-3502 with a CVSS score of 7.8, arises from the application’s failure to adequately verify updates before installation. This flaw permits the execution of harmful code if attackers can manipulate the update process.
The intrusion method involved tampering with the update code, a tactic effectively employed in the observed incidents, according to Check Point.
Implications for Government and Critical Infrastructure
TrueConf is designed for deployment within private networks, often utilized by governmental and military organizations for secure communications. This setup ensures all communications remain internal, with offline capabilities for isolated systems, Check Point highlights.
The update process for TrueConf clients involves the on-premises server fetching and installing updates, yet it lacks integrity and authenticity checks before installation. This vulnerability was exploited in the attack dubbed TrueChaos by Check Point.
Attack Execution and Consequences
The attackers compromised the local TrueConf server, substituting the update package with a malicious variant, likely prompting users to initiate the update process. This affected multiple government agencies supplied with the corrupted update.
The modified update introduced a malicious library via DLL sideloading, enabling reconnaissance, preparation for lateral movement, persistence, and retrieval of additional malicious payloads.
Though the final payload was not deployed, network traffic indicated communication with a command-and-control server linked to Havoc, an open-source post-exploitation tool, suggesting involvement by a Chinese threat actor.
Response and Recommendations
TrueConf addressed the zero-day vulnerability with an update in version 8.5.3 of their client software, released in March. The U.S. cybersecurity agency CISA has since added this vulnerability to its Known Exploited Vulnerabilities catalog, advising federal agencies to implement the patch by April 16.
This incident underscores the critical need for rigorous update verification processes in software deployed within sensitive environments, to prevent similar security breaches in the future.
