CVE-2026-8398

CVE-2026-8398 is a critical-severity vulnerability in Disc-soft Daemon Tools with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-05-27). The underlying weakness is classified as CWE-506.

Key facts

Description

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

Frequently asked questions

What is CVE-2026-8398?
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
How severe is CVE-2026-8398?
CVE-2026-8398 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-8398 being actively exploited?
Yes. CVE-2026-8398 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-05-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2026-8398?
CVE-2026-8398 affects Disc-soft Daemon Tools. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-8398?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2026-8398 have an EU (EUVD) identifier?
Yes. CVE-2026-8398 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-30514. It is also flagged as exploited in the EUVD (since 2026-05-27).
When was CVE-2026-8398 published?
CVE-2026-8398 was published on 2026-05-15 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Disc-soft Daemon Tools

All CVEs affecting Disc-soft Daemon Tools →

Other CWE-506 vulnerabilities

Browse all CWE-506 vulnerabilities →