CVE-2026-3502
KEV
🔴 Łataj teraz
Brak weryfikacji aktualizacji w TrueConf Client pozwala na zdalne wykonanie kodu.
CVSS
7.8
EPSS
1.3%
Exploit
weaponized
Vendor
trueconf
Opis źródłowy (NVD)
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 1.3% |
| Opublikowano (NVD) | 2026-03-30 19:16:27 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-03 11:40:57 UTC |
Referencje
- https://trueconf.com/blog/update/trueconf-8-5 (cve@checkpoint.com) [Product, Release Notes]
- https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/ (134c704f-9b21-4f2e-91b3-4a467353bcc0) [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]