A Chain of 0-day Vulnerabilities Found in Russia's TrueConf Server, Allowing Remote Code Execution
Authorization flaws and a lack of login restrictions facilitate host takeover.
0-day vulnerabilities have been identified in the TrueConf Server corporate video conferencing system. Researchers from CyberOK discovered a vulnerability chain that, when exploited sequentially, can lead to host compromise. Additionally, a reflected XSS vulnerability was found, which can serve as an alternative attack vector.
According to CyberOK, approximately 11,000 TrueConf instances are operating within the Russian segment of the internet. Roughly 30% of them are potentially vulnerable to the chain of three vulnerabilities. At the time of assessment, about 1,300 instances were susceptible to the XSS vulnerability.
The researchers described three linked steps that allow an attacker to gain privileges and execute commands on the server. The first issue, registered as COK-2025-10-15 and listed in the FSTEC database under number 2025-13736, is related to insufficient control in the authorization mechanism. It allows for the bypass of permission checks and access to functions unavailable to a regular user, opening the path for further escalation.
The second flaw, designated as COK-2025-10-16 and registered as 2025-13737, is related to the absence of restrictions on the number of login attempts. This enables brute-force attacks and automated checking of leaked credentials, leading to the acquisition of a valid admin account.
The third vulnerability, COK-2025-10-27, reflected in the FSTEC database as 2025-13738, is related to OS command injection and allows for the injection and execution of operating system commands. Combined with the previous steps, it leads to a complete remote takeover of the host.
In addition to the main chain, a reflected XSS vulnerability, COK-2025-09-08 (registered as 2025-11412), was identified. It allows the execution of malicious JavaScript in the context of the victim's browser, theft of session cookies, or performing actions on behalf of the user. It can be used as a primary vector for session hijacking.
The researchers note that the combination of authorization shortcomings, a lack of brute-force protection, and the ability to execute OS commands forms a high-risk chain suitable for automation and remote server compromise.
It is recommended to update TrueConf Server to version 5.5.2 and contact the vendor if necessary. The update has been published in their blog: TrueConf Server 5.5.2. The TrueConf developers responded promptly and patched the vulnerabilities.
