Hackers Exploit TrueConf Zero-Day to Push Malicious Software Updates

Threat actors have actively exploited a zero-day vulnerability in TrueConf, an enterprise video conferencing platform, to push malicious software updates to all devices connected to a compromised TrueConf server. The attack vector abuses TrueConf's built-in update distribution mechanism, converting a legitimate enterprise feature into a remote code execution channel.

The Vulnerability

The zero-day resides in TrueConf Server's update distribution component — the server-side mechanism responsible for pushing client software updates to registered endpoints across an organization. The flaw allows an attacker with access to the TrueConf server (gained via a separate compromise or a secondary vulnerability in the platform) to:

1. Inject a malicious executable as a staged software "update"
2. Trigger forced update distribution to all connected TrueConf clients
3. Achieve arbitrary code execution on every endpoint that accepts the update — potentially the entire organization

The vulnerability is pre-authentication in some deployment configurations, meaning attackers may not require valid credentials to exploit the update injection path against internet-exposed TrueConf server instances.

Attack Chain

[Attacker] --> [TrueConf Server (zero-day)]
                  |
                  v
         [Malicious "update" injected]
                  |
                  v
    [All TrueConf clients receive "update"]
                  |
                  v
    [Arbitrary code executed on endpoints]

The attack chain is particularly dangerous because:

• Update mechanisms bypass endpoint security — many EDR and antivirus solutions whitelist software update processes
• Wide blast radius — a single server compromise leads to mass endpoint compromise
• Trusted delivery path — employees are conditioned to accept legitimate software updates, reducing suspicion

Affected Deployments

TrueConf is deployed across enterprise, government, healthcare, and education environments, with a significant footprint in Russian-speaking regions and Eastern European organizations. The platform's on-premises server model means exposures vary by customer deployment.

Particularly at risk:

• Organizations with TrueConf Server exposed to the internet (no VPN requirement)
• Deployments running older TrueConf Server versions
• Organizations without software update integrity verification (code signing enforcement)

TrueConf Response

At time of publication, TrueConf had not released a public patch or advisory. BleepingComputer reported that attacks were observed in the wild exploiting this vulnerability. Organizations running TrueConf should treat this as an active zero-day requiring immediate mitigations.

Immediate Mitigations

While a patch is unavailable, organizations should take the following steps:

Isolate TrueConf Servers

# Block external access to TrueConf Server (adjust firewall rules)
# Default TrueConf ports: 80, 443, 4307, 5060, 5061, 8765
 
# Linux iptables example
iptables -I INPUT -p tcp --dport 4307 -s 0.0.0.0/0 ! -s <trusted_subnet> -j DROP
iptables -I INPUT -p tcp --dport 8765 -s 0.0.0.0/0 ! -s <trusted_subnet> -j DROP
 
# Restrict to internal network only

Disable Automatic Update Distribution

1. Access TrueConf Server Admin Panel
2. Navigate to Software Updates or Client Management
3. Disable automatic update distribution until a patch is available
4. Notify users that TrueConf updates will be suspended temporarily

Monitor for Indicators of Compromise

Watch for:

• Unusual processes spawned by TrueConf.exe or trueconf-client parent processes
• Unexpected network connections from TrueConf client processes to external IPs
• New executables appearing in TrueConf update staging directories
• TrueConf server logs showing unexpected update package uploads

# Windows — check TrueConf child processes
Get-Process | Where-Object { $_.Parent.ProcessName -eq "TrueConf" }
 
# Monitor TrueConf update directory for unexpected files
Get-ChildItem "C:\Program Files\TrueConf\updates\" | Select-Object Name, LastWriteTime, Length

Endpoint Response

If compromise is suspected:

1. Isolate affected endpoints from the network immediately
2. Preserve forensic evidence — take memory dumps and disk images before remediation
3. Assume lateral movement — TrueConf is commonly installed on endpoints across an entire organization
4. Audit all TrueConf-connected devices for signs of malicious executable execution

Broader Context

This attack follows a pattern of threat actors targeting trusted software update and distribution mechanisms as a high-efficiency initial access and lateral movement vector. Similar tactics have been observed in:

• The 2020 SolarWinds SUNBURST campaign
• The 2021 Kaseya VSA attack
• Multiple 2025–2026 supply chain attacks targeting development tooling

Video conferencing platforms represent a particularly attractive target because they are:

• Deployed universally across organizations (IT, executives, all departments)
• Trusted by endpoints to deliver and execute software
• Often excluded from stringent security reviews due to their perceived low-risk nature
• Frequently exposed to the internet for remote work use cases

Recommended Actions

• Disable TrueConf automatic updates immediately and switch to manual, verified update workflows
• Restrict TrueConf Server access to internal networks or VPN only
• Monitor endpoints for unusual child processes spawned by TrueConf clients
• Audit TrueConf server logs for unauthorized update package uploads
• Scan recently updated TrueConf installations for malicious executables
• Contact TrueConf directly for vendor guidance and patch availability timelines

Source: BleepingComputer — April 1, 2026