CVE-2026-8398

CRITICAL KEV

DAEMON Tools Lite 12.5.0.2421-12.5.0.2434 - Embedded Malicious Code in Trojanized Installer

Title source: llm

Exploitation Summary

CVE-2026-8398 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 27, 2026.

Description

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

References (2)

Core 2

Core References

Technical Description, Third Party Advisory technical-description third-party-advisory

DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026

https://securelist.com/tr/daemon-tools-backdoor/119654/

Vendor Advisory vendor-advisory

Security Incident Affecting DAEMON Tools Lite: What We Know So Far

https://blog.daemon-tools.cc/post/security-incident

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CISA KEV 2026-05-27

VulnCheck KEV 2026-05-08

CWE

CWE-506

Status published

Products (1)

AVB Disc Soft/DAEMON Tools Lite 12.5.0.2421 - 2.6.0.*

Published May 15, 2026

KEV Added May 27, 2026

Tracked Since May 15, 2026