CISA gives agencies two weeks to patch video conferencing bug exploited by Chinese hackers

Steven

CISA gives agencies two weeks to patch video conferencing bug exploited by Chinese hackers

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to patch CVE-2026-3502 — a TrueConf vulnerability with a CVSS score of 7.8 — by 16 April after researchers reported active exploitation. Check Point called the campaign ‘TrueChaos’ and says Chinese-linked actors used the flaw to push malicious updates via compromised on-premises TrueConf servers, leveraging the software’s updater validation mechanism to execute arbitrary files on connected endpoints. TrueConf released a fix in March after responsible disclosure.

Check Point linked the activity to espionage targeting government entities in Southeast Asia, noting use of the Havoc tool, Alibaba Cloud and Tencent infrastructure, and prior ShadowPad infections as attribution indicators. The attacks typically began when targets clicked links that launched the TrueConf client and displayed a seemingly legitimate update prompt — but the server had already been trojanised to serve a weaponised update.

Key Points

  • CISA has given agencies until 16 April 2026 to patch CVE-2026-3502 in TrueConf (CVSS 7.8).
  • Check Point researchers reported the TrueChaos campaign, attributing it to Chinese actors targeting governments in Southeast Asia.
  • The vulnerability abuses the TrueConf updater validation on on-premises servers, allowing malicious update packages to be distributed to clients.
  • Attackers used trusted update channels to deliver payloads; initial access often involved a link that triggered an update prompt.
  • Indicators tying the campaign to China include use of Havoc, Alibaba/Tencent hosting and prior ShadowPad infections.
  • TrueConf released a patch in March after disclosure; organisations using on-premise servers should verify update integrity and patch immediately.
  • The product is widely used by government, military and critical infrastructure organisations that rely on on‑premise deployments for privacy and offline operation.

Why should I read this?

Short version: if you run TrueConf, manage secure comms or are responsible for government or critical‑infrastructure IT, this matters — now. The bug is being actively exploited to spy, using the updater itself as the delivery method. We read the long technical spiel so you don’t have to: patch the server, verify the update chain, and hunt for signs of ShadowPad or other follow‑on implants.

Author style

Punchy: this is high‑priority. CISA’s two‑week order and Check Point’s findings mean this isn’t theoretical — it’s live espionage. Read the full details if you’re responsible for secure communications or incident response; otherwise, at least check your TrueConf servers and apply the March patch immediately.

Source

Source: https://therecord.media/trueconf-cyberattack-cisa-hackers