A high-severity zero-day vulnerability in TrueConf video conferencing software, tracked as CVE-2026-3502, is being exploited by Chinese-nexus threat actors to compromise government networks across Southeast Asia.

Key points

• The vulnerability, CVE-2026-3502, allows attackers to distribute malicious updates by bypassing integrity checks in the TrueConf Windows client.
• Security researchers at Check Point identified the "TrueChaos" campaign, which uses the flaw to deploy the Havoc command-and-control framework.
• Attackers gain control of on-premises TrueConf servers to push rogue installers that execute DLL side-loading attacks on connected endpoints.
• TrueConf released a patch for the flaw in version 8.5.3, which users are urged to install immediately to prevent unauthorized code execution.
• Attribution links the campaign to Chinese-nexus actors based on infrastructure usage and tactical similarities to previous operations like Amaranth-Dragon.

This exploit demonstrates the significant risk posed by supply chain attacks that weaponize trusted software update mechanisms to bypass individual endpoint security. By compromising a central server, attackers can efficiently infiltrate entire government networks without needing to target each device separately.