LiveActive security incident?Get immediate response
CVE Record

CVE-2026-8398: A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions...

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

CriticalCVSS 9.8Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

This is a high-urgency supply-chain compromise of DAEMON Tools Lite for Windows. Users who downloaded official installers during the stated window may have installed malicious, vendor-signed binaries. Because the files used a legitimate certificate, normal trust prompts and signature checks could have looked clean.

Executive priority

Treat this as an incident-scoping priority, not routine patching. The business risk is trusted software distributing malicious signed code, which can bypass normal user and security assumptions. Prioritize identifying exposed endpoints and containment decisions.

Technical view

Attackers reportedly compromised AVB Disc Soft build or distribution infrastructure and trojanized DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434. The issue maps to CWE-506 and carries CVSS 3.1 9.8 with high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely on Windows endpoints that installed DAEMON Tools Lite from daemon-tools.cc between approximately April 8, 2026 and May 5, 2026. Software inventory, download history, EDR telemetry, and installed binary versions are the most relevant scoping sources.

Exploitation context

CISA KEV listing supports known exploitation. Securelist describes the supply-chain attack as ongoing since April 8, 2026. The provided bundle does not include exploit mechanics, targeting details, or a complete remediation timeline.

Researcher notes

The source bundle provides strong evidence of supply-chain compromise, affected installer window, trojanized filenames, legitimate signing, CVSS, and KEV status. It does not provide full indicators, exploit details, or definitive cleanup steps, so validation should stay tied to vendor and CISA updates.

Mitigation direction

  • Identify endpoints with DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434.
  • Stop using installers downloaded during the April 8 to May 5, 2026 window.
  • Follow AVB Disc Soft vendor guidance for cleanup, replacement installers, and certificate status.
  • Quarantine or rebuild systems where trojanized binaries are confirmed.
  • Rotate credentials used on affected systems if compromise is suspected.

Validation and detection

  • Inventory installed DAEMON Tools Lite versions across Windows endpoints.
  • Check endpoint telemetry for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe anomalies.
  • Review download and installation timestamps against the exposure window.
  • Confirm whether binaries were sourced from daemon-tools.cc during the affected period.
  • Track CISA KEV and vendor advisory updates for revised scope or remediation.
Prepared
Reviewed
Confidence
high
Sources
5

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-506: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-8398 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
6Timeline events
1ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA-ADP
Date added
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: yesTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Kaspersky
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NKaspersky

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2026-8398Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineKaspersky

    Advisory published by vendor

  2. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. Added to KEVCISA-ADP

    CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.

  5. ADP timelineCISA-ADP

    CVE-2026-8398 added to CISA KEV

  6. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvcother:kev
  • 2026-05-27T00:00:00.000Z: CVE-2026-8398 added to CISA KEV

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
AVB Disc SoftDAEMON Tools Lite12.5.0.2421unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-506 · source CWE mapping

Embedded Malicious Code

Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.