About Remote Code Execution – TrueConf Server (BDU:2025-10116, BDU:2025-10115, BDU:2025-10114) vulnerability. TrueConf Server is a popular Russian corporate messenger and video conferencing system. A chain of critical vulnerabilities in TrueConf Server was discovered by PT SWARM expert Nikita Petrov:
🔻 Vulnerability BDU:2025-10114 is related to insufficient access control and allows an attacker to send requests to certain administrative endpoints without permission checks or authentication.
🔻 Vulnerability BDU:2025-10115 allows an attacker to read arbitrary files on the system.
🔻 The most critical – BDU:2025-10116 – allows a potential attacker to inject and execute arbitrary OS commands.
⚙️ Security updates were released on August 27, 2025.
👾🛠 There are currently no signs of exploitation in the wild or public exploits.
🌐 According to Positive Technologies, there are over 7,000 TrueConf Server installations in Russia alone.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.