Skip to main content

DAEMON Tools Lite CVE-2026-8398

| EUVDEUVD-2026-30514 CRITICAL
Embedded Malicious Code (CWE-506)
2026-05-15 Kaspersky GHSA-rm3r-35x9-jv93
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Added to CISA KEV
May 27, 2026 - 19:46 CISA
Patch available
May 15, 2026 - 10:16 EUVD
Analysis Generated
May 15, 2026 - 09:30 vuln.today
CVSS changed
May 15, 2026 - 09:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
CVE Published
May 15, 2026 - 07:30 nvd
CRITICAL 9.3

DescriptionCVE.org

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

AnalysisAI

Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.

Technical ContextAI

This is a software supply chain attack (CWE-506: Embedded Malicious Code) targeting the build or distribution pipeline of DAEMON Tools Lite, a popular Windows disk image mounting utility. The attack vector differs from typical application vulnerabilities - rather than exploiting a coding flaw, adversaries compromised the vendor's infrastructure to inject malicious code at the source. The trojanized binaries (DTHelper.exe for installation helper functions, DiscSoftBusServiceLite.exe for the background service, and DTShellHlp.exe for Windows shell integration) were signed using AVB Disc Soft's valid code-signing certificate, likely stolen or obtained through infrastructure compromise. This abuse of trust anchors demonstrates why code-signing alone is insufficient for software integrity - it validates the signer's identity but not the signer's security posture. The CPE string cpe:2.3:a:avb_disc_soft:daemon_tools_lite identifies the affected product scope. CVSS 4.0 vector AV:N indicates network-based distribution (downloaders obtained malicious installers from the internet), AC:L and AT:N reflect low attack complexity once infrastructure was compromised, and PR:N/UI:N indicate victims required no special privileges or additional interaction beyond normal software installation.

RemediationAI

Immediately uninstall any DAEMON Tools Lite installation matching versions 12.5.0.2421 through 12.5.0.2434, particularly if installed between April 8 and May 5, 2026. AVB Disc Soft has released clean versions post-compromise with revoked and reissued code-signing certificates - download and install the latest version from https://daemon-tools.cc after complete removal of affected versions. Because the trojanized binaries were digitally signed and may have installed with elevated privileges, perform full endpoint compromise assessment: scan for persistence mechanisms (scheduled tasks, registry autoruns, services), review network connections from the three affected binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), and check for lateral movement indicators. Kaspersky's research at https://securelist.com/tr/daemon-tools-backdoor/119654/ may contain indicators of compromise (IOCs) for detection. Organizations should audit software deployment logs to identify systems that installed during the compromise window and prioritize those for investigation. Consider filesystem and memory forensics on affected endpoints to determine payload behavior and data exfiltration scope. No workarounds exist for already-compromised systems - full removal and investigation are mandatory. As a preventive control for future supply chain risks, implement application control policies that alert on new code-signing certificates even from known vendors, though note this carries operational overhead as legitimate certificate renewals trigger alerts.

Share

CVE-2026-8398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy