CVE-2026-8398
published 2026-05-15CVE-2026-8398: A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-30
Exploited in the wild
EPSS
1.46%
70.2th percentile
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avb_disc_soft | daemon_tools_lite | >= 12.5.0.2421 < 2.6.0.* | 2.6.0.* |
| disc-soft | daemon_tools | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag installations of DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 — these version numbers correspond to the trojanized build window distributed between approximately April 8 and May 5, 2026. ↗
- →Do not rely on Authenticode/code-signing validation alone to clear these binaries — the trojanized files carry a legitimate AVB Disc Soft certificate and will pass signature-based checks. ↗
- →Hunt for the three specific trojanized filenames (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) on endpoints; presence of any of these from the affected version range should trigger incident response. ↗
- →The supply chain compromise subverted the vendor's build or distribution infrastructure to emit validly signed artifacts — apply behavioral and integrity monitoring of install-time execution rather than trusting signed provenance alone. ↗
- ·The trojanized binaries carry a valid AVB Disc Soft code-signing certificate; signature-based allow-listing will NOT distinguish malicious from legitimate builds — hash-based or behavioral detection is required. ↗
- ·The malicious distribution window is bounded (approx. April 8 – May 5, 2026); installations outside this window from daemon-tools.cc are not confirmed affected, but version range 12.5.0.2421–12.5.0.2434 should be treated as suspect regardless of install date. ↗
- ·CISA's KEV entry notes the vulnerability as 'unspecified' in technical detail beyond the embedded malicious code; refer to the vendor's own security incident post for the most current remediation guidance. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rm3r-35x9-jv93: A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12
ghsa_unreviewed·2026-05-15
CVE-2026-8398 [CRITICAL] CWE-506 GHSA-rm3r-35x9-jv93: A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
VulDB
AVB Disc Soft DAEMON Tools Lite up to 12.5.0.2434 daemon-tools.cc malicious code (EUVD-2026-30514)
vuldb·2026-05-15·CVSS 9.3
CVE-2026-8398 [CRITICAL] AVB Disc Soft DAEMON Tools Lite up to 12.5.0.2434 daemon-tools.cc malicious code (EUVD-2026-30514)
A vulnerability has been found in AVB Disc Soft DAEMON Tools Lite up to 12.5.0.2434 and classified as critical. This affects an unknown part of the file daemon-tools.cc. The manipulation leads to embedded malicious code.
This vulnerability is uniquely identified as CVE-2026-8398. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
VulnCheck
Vulnerability
vulncheck·2026
CVE-2026-8398 Vulnerability
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/tr/daemon-tools-backdoor/119654/
CISA
Daemon Tools Lite Embedded Malicious Code Vulnerability
cisa·2026-05-27·CVSS 9.3
CVE-2026-8398 [CRITICAL] CWE-506 Daemon Tools Lite Embedded Malicious Code Vulnerability
Vulnerability: Daemon Tools Lite Embedded Malicious Code Vulnerability
Affected: Daemon Daemon Tools Lite
Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://blog.daemon-tools.cc/post/security-incident ; https://nvd.nist.gov/vuln/detail/CVE-2026-8398
Remediation Due Date: 2026-05-30
No detection rules found.
No public exploits indexed.
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
blogs_sans_isc·2026-06-08
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
TeamPCP Supply Chain Campaign: Activity Through 2026-06-07
Published: 2026-06-08. Last Updated: 2026-06-08 17:07:37 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
This diary continues the Internet Storm Center's tracking of the TeamPCP supply chain campaign, first documented in the SANS white paper When the Security Scanner Became the Weapon and most recently in the handler diary Activity Through 2026-05-24. Since that update, the story moved into two new places: the United States government, which formally caught up to the campaign, and the wider population of attackers now wielding the Mini Shai-Hulud framework that TeamPCP open-sourced last month.
Bottom line up front
Two developments stand out since the last update. First, the federal response that prior coverage flagged as cons
Hackernews
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
blogs_hackernews·2026-05-28
CVE-2026-8398 ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account compromise because apparently six digits and blind trust were all that stood between your vault and getting absolutely pwned. Cool. Great. Love
2026-05-15
Published
2026-05-27
Added to CISA KEV
Exploited in the wild