A high-severity zero-day vulnerability in TrueConf client video conferencing software has been actively exploited in attacks targeting government entities across Southeast Asia. The flaw, designated CVE-2026-3502, stems from a lack of integrity checks when the application fetches update code, enabling attackers to distribute malicious updates to unsuspecting users.

The vulnerability carries a CVSS score of 7.8, indicating high severity. Security researchers have dubbed the ongoing campaign "TrueChaos," which specifically targets government networks in the Southeast Asian region. The zero-day nature of the attacks means victims were exposed before patches became available.

The attack vector exploits TrueConf's update mechanism by bypassing integrity verification processes. When the software attempts to download and install updates, attackers can intercept this process and inject malicious code disguised as legitimate updates. This allows for remote code execution on targeted systems without user awareness.

Patch availability and specific mitigation measures were not detailed in the available reporting. Organizations using TrueConf video conferencing software, particularly government entities in Southeast Asia, should monitor for security advisories from the vendor and consider temporarily restricting the software's update capabilities until fixes are deployed.

The TrueChaos campaign represents a targeted espionage effort against government infrastructure, highlighting the continued vulnerability of enterprise communication tools to sophisticated threat actors focusing on high-value institutional targets.