CVE-2026-8398
CVE-2026-8398 is a critical-severity vulnerability in Disc-soft Daemon Tools with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-05-27). The underlying weakness is classified as CWE-506.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 1% (70th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-05-27)
- EU (EUVD) id: EUVD-2026-30514
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-05-27)
- Weakness: CWE-506
- Affected product: Disc-soft Daemon Tools
- Published:
- Last modified:
Description
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Frequently asked questions
- What is CVE-2026-8398?
- A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
- How severe is CVE-2026-8398?
- CVE-2026-8398 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-8398 being actively exploited?
- Yes. CVE-2026-8398 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-05-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-8398?
- CVE-2026-8398 affects Disc-soft Daemon Tools. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-8398?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-8398 have an EU (EUVD) identifier?
- Yes. CVE-2026-8398 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-30514. It is also flagged as exploited in the EUVD (since 2026-05-27).
- When was CVE-2026-8398 published?
- CVE-2026-8398 was published on 2026-05-15 and last updated on 2026-06-17.
References
- https://blog.daemon-tools.cc/post/security-incident
- https://securelist.com/tr/daemon-tools-backdoor/119654/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-8398
Affected products (1)
- cpe:2.3:a:disc-soft:daemon_tools:12.5.1:*:*:*:lite:*:*:*
More vulnerabilities in Disc-soft Daemon Tools
- CVE-2021-21832 — Critical (CVSS 9.8): A memory corruption vulnerability exists in the ISO Parsing functionality of Disc Soft Ltd Deamon Tools Pro 8.3.0.0767.…
All CVEs affecting Disc-soft Daemon Tools →
Other CWE-506 vulnerabilities
- CVE-2026-28353 — Critical (CVSS 10.0): Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version…
- CVE-2024-3094 — Critical (CVSS 10.0): Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of…
- CVE-2026-48027 — Critical (CVSS 9.8): Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was…
- CVE-2026-44484 — Critical (CVSS 9.8): PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have…
- CVE-2026-6443 — Critical (CVSS 9.8): All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to…
- CVE-2026-34424 — Critical (CVSS 9.8): Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected…