The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to remediate a critical vulnerability in TrueConf video conferencing software, tracked as CVE-2026-3502. The flaw, which carries a severity score of 7.8 out of 10, has been confirmed to be under active exploitation.
Operation "TrueChaos" Targets Government Entities
The directive follows recent findings by cybersecurity firm Check Point. Researchers identified that a threat actor dubbed "TrueChaos" has been leveraging the vulnerability since early 2026 to target government entities across Southeast Asia. The group has been observed frequently utilizing the Havoc penetration testing framework to conduct espionage through compromised video conferencing systems.
Check Point’s report reveals that the vulnerability lies within the software’s update verification mechanism. By gaining control of an enterprise-deployed TrueConf server, attackers can tamper with update packages, allowing them to push and execute malicious files on all connected endpoints. Because TrueConf is frequently used by government, military, and critical infrastructure sectors to secure internal communications, these attacks are highly targeted.
"The hackers are distributing malicious updates to dozens of government entities by leveraging the victims' internal IT servers," Check Point researchers stated. Most victims were infected after clicking links that triggered update prompts. Because the software is often deployed in relatively closed or air-gapped environments, these fraudulent updates are particularly deceptive.
Based on the group's tactics, their use of tools hosted on Alibaba Cloud and Tencent Cloud, and traces of the ShadowPad malware found on victim devices, Check Point has attributed the campaign to a Chinese-linked hacking group. TrueConf currently serves approximately 100,000 organizational clients globally, with a broad footprint across Asia, Europe, and the Americas.
TrueConf released a security patch this past March after being alerted to the vulnerability. CISA is mandating that federal agencies complete the update process by the specified deadline to mitigate the risk of further data breaches.
