Description
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Published: 2026-05-15
Score: 9.3 Critical
EPSS: 14.4% Moderate
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A supply‑chain attack compromised the official Windows installers of DAEMON Tools Lite between April 8 and May 5, 2026. Attackers inserted malicious binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—into the installers, which were signed with the legitimate AVB Disc Soft code‑signing certificate. The trojanized installers appear authentic and allow the embedded binaries to run during installation, giving an attacker the ability to execute arbitrary code on an infected system, which is a weakness corresponding to CWE‑506.

Affected Systems

The vulnerability affects Windows installations of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) distributed by AVB Disc Soft from their official website daemon-tools.cc. Systems that have installed these packages, which are digitally signed by AVB Disc Soft, are at risk.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is rated critical, and an EPSS score of 14% indicates a moderate probability that the vulnerability will be exploited. The attack vector is inferred to be user installation of the tainted installer; once the installer runs, the trojanized binaries can execute code in the context of the installed application, potentially allowing an attacker remote control of the affected machine. The vulnerability is listed in the CISA KEV catalog, and the high severity combined with the authentic signing certificate make it a significant threat.

Generated by OpenCVE AI on June 4, 2026 at 14:42 UTC.

Remediation

Vendor Solution

Users of potentially infected application are recommended to uninstall the application, run a full system scan using antivirus software with the latest version of the anti-virus databases, and install the latest version of DAEMON Tools Lite (12.6 or newer) from the official website.

OpenCVE Recommended Actions

  • Uninstall any potentially compromised DAEMON Tools Lite installation
  • Run a full system scan with up‑to‑date antivirus databases
  • Install the latest version of DAEMON Tools Lite (12.6 or newer) from the official website

Generated by OpenCVE AI on June 4, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Supply-Chain Attack Infiltrates DAEMON Tools Lite Installers with Trojan Binaries

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Supply‑Chain Attack Compromises DAEMON Tools Lite Windows Installers with Trojanized Binaries

Thu, 28 May 2026 15:15:00 +0000

Type Values Removed Values Added
Title Supply‑Chain Attack Compromises DAEMON Tools Lite Windows Installers with Trojanized Binaries

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:disc-soft:daemon_tools:12.5.1:*:*:*:lite:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 27 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Supply Chain Backdoor in DAEMON Tools Lite Installer

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-27T00:00:00+00:00', 'dueDate': '2026-05-30T00:00:00+00:00'}

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
Title Supply Chain Backdoor in DAEMON Tools Lite Installer

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Disc-soft
Disc-soft daemon Tools
Vendors & Products Disc-soft
Disc-soft daemon Tools

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Weaknesses CWE-506
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Disc-soft Daemon Tools
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Kaspersky

Published:

Updated: 2026-05-28T03:55:20.809Z

Reserved: 2026-05-12T13:20:16.358Z

Link: CVE-2026-8398

cve-icon Vulnrichment

Updated: 2026-05-15T13:27:56.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-15T09:16:17.653

Modified: 2026-05-28T12:57:00.563

Link: CVE-2026-8398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:45:16Z

Weaknesses