Critical TrueConf Zero-Day Exploited in Targeted Attacks on Southeast Asian Governments

Breaking: Zero-Day Vulnerability Under Active Exploitation

Check Point Research has uncovered a critical zero-day vulnerability in the TrueConf video conferencing client, tracked as CVE-2026-3502 with a CVSS score of 7.8. The flaw is being actively exploited in a targeted campaign named 'TrueChaos' against government entities in Southeast Asia.

The vulnerability allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. The threat actor behind TrueChaos has abused the TrueConf update mechanism to deploy the Havoc payload, a known post-exploitation framework.

Attribution and Confidence

Based on observed tactics, techniques, and procedures (TTPs), command-and-control infrastructure, and victimology, Check Point assesses with moderate confidence that the activity is linked to a Chinese-nexus threat actor. 'The sophistication and targeting align with state-sponsored espionage campaigns,' said Dr. Maya Singh, senior threat intelligence analyst at Check Point.

The campaign targets high-value government networks, likely to steal sensitive diplomatic and defense data. Researchers urge immediate patching to prevent further compromise.

Vulnerability Details

CVE-2026-3502 stems from an abuse of TrueConf's updater validation mechanism. On-premises deployments create a trusted relationship between the server and clients, which the attacker hijacks to push malicious updates. 'This is a classic supply-chain attack vector,' explained James O'Connor, vulnerability researcher with Check Point.

TrueConf released a fixed version (8.5.3) in March 2026 after responsible disclosure. Organizations using older versions should upgrade immediately. The current stable build is 8.5.2, meaning many users remain vulnerable.

Background: TrueConf's Role in Secure Communications

TrueConf is a video conferencing platform supporting both cloud and on-premises deployments. It is widely used by governments, defense departments, and critical infrastructure sectors in Russia, East Asia, Europe, and the Americas. Over 100,000 organizations globally depend on it.

In on-premises mode, all audio, video, and chat traffic stays within a private LAN, ensuring data privacy in secure or remote environments. This makes it essential for military coordination during natural disasters or in areas with poor internet connectivity. 'The very architecture that guarantees security also opens the door for this attack,' noted Dr. Singh.

What This Means

For organizations using TrueConf on-premises, the TrueChaos campaign highlights the risk of trusted update channels. Admins must verify that their TrueConf server and clients are on version 8.5.3 or later. Unpatched systems allow attackers to move laterally and deploy backdoors like Havoc.

This incident also underscores the need for supply-chain security in video conferencing tools. 'Any software with an auto-update mechanism can be weaponized if the server is compromised,' warned O'Connor. Governments in Southeast Asia should monitor for signs of Havoc activity and conduct forensic audits.

Check Point continues to track TrueChaos and will release additional indicators of compromise. For technical details, refer to the original research at Check Point's blog.