A bug in a popular line of video conferencing software is being exploited by hackers, prompting the U.S. government to order all agencies to patch the vulnerability within two weeks. 

The Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until April 16 to patch CVE-2026-3502, a vulnerability in the video conferencing tool TrueConf. The bug carries a severity score of 7.8 out of 10. 

CISA’s confirmation that the vulnerability is being exploited follows a report from cybersecurity researchers at Check Point outlining an alleged Chinese hacking campaign targeting governments in Southeast Asia. 

Check Point said Chinese hackers have been exploiting the vulnerability in a campaign they call TrueChaos. The campaign started in early 2026 and typically involved the Havoc penetration testing tool, which Chinese actors have repeatedly abused over the last year. 

Check Point said it disclosed the bug to TrueConf, which developed a fix that was released in March. 

“At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment,” the researchers said. 

“The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.”

During exploitation of the bug, the hackers used the trusted update channel to distribute malicious updates. Check Point noted that the targeting indicates the campaign was likely focused on espionage.

TrueConf is used widely across organizations in Asia, Europe and the Americas, serving about 100,000 organizations globally. Check Point said it is used primarily by government, military, and critical infrastructure sectors “to ensure absolute data privacy and communication autonomy in secure or remote environments.” 

“In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems,” Check Point explained. 

Most infections likely began through a link sent to the victims. The links launched the TrueConf client and showed an update prompt alleging that there is a newer version available. 

“Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process,” Check Point said. 

“The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.”

Check Point attributed the campaign to Chinese actors based on the tactics deployed and the use of Alibaba Cloud and Tencent hosting tools. The company also saw the same victim targeted with the ShadowPad malware — a hallmark of Chinese actors.