A vulnerability in **TrueConf**, a popular video conferencing software, is under active exploitation, prompting urgent action from the U.S. government. ### CISA's Directive **CISA** has issued a directive requiring all federal agencies to patch **CVE-2026-3502** by April 16. This vulnerability in **TrueConf** carries a severity score of 7.8 out of 10, indicating a significant risk. ### "TrueChaos" Campaign The urgency follows a report by **Check Point** researchers detailing a hacking campaign, named 'TrueChaos,' allegedly conducted by Chinese actors. The campaign reportedly targets governments in Southeast Asia and leverages the **CVE-2026-3502** vulnerability. **Check Point** stated that the exploitation began in early 2026 and commonly involved the **Havoc** penetration testing tool. This tool has been repeatedly used by Chinese threat actors in the past year. ### Vulnerability Details According to **Check Point**, the vulnerability lies within the application's updater validation mechanism. An attacker gaining control of an on-premises **TrueConf** server can exploit this flaw to distribute and execute arbitrary files across connected endpoints. This is achieved through the trusted update channel, where malicious updates are pushed to unsuspecting clients. ### Widespread Impact **TrueConf** is widely used across various organizations in Asia, Europe, and the Americas, serving approximately 100,000 organizations globally. Its primary users include government, military, and critical infrastructure sectors, where it is valued for its ability to ensure data privacy and communication autonomy, especially in secure or remote environments. **Check Point** highlights **TrueConf**'s utility in areas with limited or no internet connectivity, or during natural disasters, facilitating essential coordination. The ability to host the server on internal hardware keeps all audio, video, and chat traffic contained on-site, with offline activation available for fully air-gapped systems. ### Infection Vector Initial infections typically originate from links sent to victims, prompting an update to a newer version of the **TrueConf** client. However, the attacker has already replaced the update package on the on-premises server with a weaponized version, ensuring the client retrieves a malicious file during the update process. In one instance, a compromised **TrueConf** on-premises server, operated by a governmental IT department, served as a video conferencing platform for numerous government entities. These entities were all supplied with the same malicious update. ### Attribution to Chinese Actors **Check Point** attributes the 'TrueChaos' campaign to Chinese actors based on the tactics, techniques, and procedures (TTPs) observed, along with the use of **Alibaba Cloud** and **Tencent** hosting tools. Furthermore, the same victim was targeted with the **ShadowPad** malware, a known tool associated with Chinese threat actors.