A supply‑chain attack compromised the official Windows installers of DAEMON Tools Lite between April 8 and May 5, 2026. Attackers inserted malicious binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—into the installers, which were signed with the legitimate AVB Disc Soft code‑signing certificate. The trojanized installers appear authentic and allow the embedded binaries to run at installation time, giving an attacker the ability to execute arbitrary code on an infected system, which is a weakness corresponding to CWE‑506.

The vulnerability affects Windows versions of DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434 that were downloaded directly from the official daemon-tools.cc website. Systems running any of these installation packages and accepting the digitally signed installers are at risk.

With a CVSS score of 9.3 the flaw is rated critical, and although an EPSS score is not available, the compromised build infrastructure and signed installers provide a high likelihood of exploitation. The attack vector is inferred to be user installation of the tainted installer; once the installer runs, the trojanized binaries can execute code in the context of the installed application, potentially allowing remote control of the affected machine. The vulnerability is not listed in the CISA KEV catalog, but the high severity and authenticity of the signing certificate make it a significant threat.