CVE-2026-8398

CVSS 9.3 CRITICALEPSS 1.4%● KEVCWE-506

In short

Legitimate DAEMON Tools Lite installers were secretly infected with malware between April and May 2026. Users who downloaded and installed the software during this period may have unknowingly installed trojans that could compromise their systems.

Technical detail

Supply chain attack targeting DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434 via compromised build infrastructure; three executables (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) were trojanized and signed with legitimate AVB Disc Soft certificates, bypassing signature-based detection. Attack vector: software update/installation from official distribution channels; impact includes arbitrary code execution on user systems with installer privileges.

Summary generated and translated by AI from the official description.

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

AVB Disc Soft · DAEMON Tools Lite

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.daemon-tools.cc/post/security-incident https://securelist.com/tr/daemon-tools-backdoor/119654/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-8398