CVE-2026-8398

Critical

Published: 15 May 2026

Published

15 May 2026

Modified

15 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8398 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-10 Software Usage Restrictions

addresses: CWE-506

Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.

CM-11 User-installed Software

addresses: CWE-506

The control prevents users from installing software that contains embedded malicious code.

CM-8 System Component Inventory

addresses: CWE-506

Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.

CP-10 System Recovery and Reconstitution

addresses: CWE-506

Reverting to a known state removes any malicious code embedded by an attacker.

MA-3 Maintenance Tools

addresses: CWE-506

The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.

PM-30 Supply Chain Risk Management Strategy

addresses: CWE-506

Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.

PS-2 Position Risk Designation

addresses: CWE-506

Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

RA-10 Threat Hunting

addresses: CWE-506

The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.

NVD Description

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's…

(AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-506

Affected Products

—

Windows

inferred from references and description; NVD did not file a CPE for this CVE

References

https://blog.daemon-tools.cc/post/security-incident
vulnerability@kaspersky.com
https://securelist.com/tr/daemon-tools-backdoor/119654/
vulnerability@kaspersky.com