A supply chain compromise of AVB Disc Soft's build or distribution infrastructure resulted in signed, trojanized DAEMON Tools Lite installers being served from the legitimate vendor website for nearly a month, earning the CVE a CISA KEV listing on May 27, 2026.
What Is It
CVE-2026-8398 is a CWE-506 (Embedded Malicious Code) flaw rated CVSS 9.8 / 4.0 score 9.3 (CRITICAL). Attackers gained unauthorized access to AVB Disc Soft's build or distribution infrastructure and trojanized three binaries, DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, inside the official DAEMON Tools Lite installer packages. The malicious binaries were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing them to appear trustworthy and bypass signature-based detection.
Why It Matters
The poisoned installers were distributed from the legitimate vendor site daemon-tools.cc between approximately April 8, 2026 and May 5, 2026, meaning users who downloaded directly from the official source during that window received the backdoored build. Because the malicious files carried a valid vendor code-signing signature, defenses relying on signature trust would not have flagged them. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) reflects full compromise of confidentiality, integrity, and availability with no privileges or user interaction required beyond running the installer. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-27, confirming it warrants urgent attention; known ransomware campaign use is listed as Unknown.
What's Vulnerable
- Product: DAEMON Tools Lite (Windows)
- Affected versions: 12.5.0.2421 through 12.5.0.2434
- Distribution window: Approximately April 8, 2026 – May 5, 2026, via
daemon-tools.cc - Trojanized binaries:
DTHelper.exe,DiscSoftBusServiceLite.exe,DTShellHlp.exe - Vendor: AVB Disc Soft
Patch Status
CISA's required action (due 2026-05-30) is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The vendor has published a security incident notice at blog.daemon-tools.cc. NVD vulnerability status is currently "Undergoing Analysis."