CVE-2026-8398
Published: 15 May 2026
Summary
CVE-2026-8398 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Disc-Soft Daemon Tools. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 29.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-12 (Supply Chain Protection) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
A supply chain attack compromised the official installation packages of DAEMON Tools Lite for Windows, specifically versions 12.5.0.2421 through 12.5.0.2434, distributed from daemon-tools.cc between April 8 and May 5, 2026. Attackers accessed the vendor AVB Disc Soft's build or distribution infrastructure and inserted malicious code into three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which retained valid digital signatures from the vendor's code-signing certificate. The issue is tracked as CVE-2026-8398 with a CVSS 4.0 score of 9.3 and is classified under CWE-506 for embedded malicious code.
Users who downloaded and installed the affected packages from the legitimate site received trojanized executables that could execute arbitrary code with high impact on confidentiality, integrity, and availability. Because the files carried trusted signatures, signature-based detection mechanisms were bypassed, enabling the backdoor to persist on victim systems without immediate detection.
Vendor and third-party advisories, including the official Daemon Tools security incident notice and CISA's Known Exploited Vulnerabilities catalog, list the affected versions and direct users to verify installer integrity or obtain clean copies from updated distribution channels. The Kaspersky analysis further documents the backdoor behavior observed in the trojanized binaries.
The EPSS score for this CVE rose from lower values to a peak of 0.3302 on May 28, 2026, before receding to the current 0.1439, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention from defenders.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30514
Vulnerability details
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's…
more
(AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
- CWE(s)
- KEV Date Added
- 27 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct supply chain compromise of vendor build/distribution infrastructure resulting in trojanized signed binaries in official installers (CWE-506).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against supply-chain attacks on build and distribution infrastructure used to insert the trojanized binaries.
Mandates integrity verification of software prior to execution, which would have detected the unauthorized modifications even though signatures remained valid.
Requires component authenticity verification processes that address risks from compromised vendor signing certificates and build systems.