TrueConf Client Update Integrity Bypass — Remote Code Execution via Tampered Updates
TrueConf Client downloads application updates without verifying their integrity or authenticity. An attacker who can intercept or influence the update mechanism can deliver a tampered update package, resulting in arbitrary code execution.
This section explains the vulnerability in everyday language, so anyone can understand the risk and impact.
Imagine you get a software update notification from your video conferencing app, TrueConf. You click 'update' thinking it's legit — but the app never actually checks if the update is real or fake. An attacker sitting on your network (or who compromised the update server) can slip in malicious code disguised as an update. Your computer installs it without question. This was used as a zero-day in real attacks against Southeast Asian government networks in an operation called 'TrueChaos.' CISA added it to their must-patch list.
Affected Products
Remediation
Update to TrueConf Client version 8.5 or later, which adds update integrity verification. If immediate patching is not possible, block or monitor TrueConf update traffic at the network perimeter.