TP-EXP-2026-0308 CVE-2026-8398 critical Active Exploitation AI Draft

Daemon Tools Lite Embedded Malicious Code Vulnerability (CVE-2026-8398)

CVE CVE-2026-8398 Platform Daemon Tools Lite Type Supply Chain Compromise

Severity CRITICAL

Status Active Exploitation

Zero-Day Confirmed

Disclosed May 6, 2026

Patched May 5, 2026

Researcher Unknown CISA KEV Listed

Severity Assessment

Exploitability: 8/10
Impact: 9/10
Weaponization Risk: 8/10
Patch Urgency: 10/10
Detection Coverage: 6/10

CISA added CVE-2026-8398 to KEV on 2026-05-27 with required action due by 2026-05-30. KEV tracking and the vendor’s incident disclosure support urgent remediation for affected installations.

Summary

CVE-2026-8398 is tracked as an embedded malicious code vulnerability affecting DAEMON Tools Lite distribution. CISA KEV records high-impact risk and references the vendor incident statement.

Daemon Tools publicly reported unauthorized interference in build infrastructure and stated that some released installation packages were compromised. The vendor indicates version 12.5.1 was affected and that newer 12.6 builds were released as clean replacements.

Exploit Chain

Stage 1: Build/Release Interference

An unauthorized actor interfered with build infrastructure, leading to compromised release artifacts.

Stage 2: Distribution of Affected Packages

Compromised installation packages were made available through normal software distribution paths.

Stage 3: Endpoint Exposure Through Installation

Hosts installing affected packages were exposed to malicious code execution risk.

Detection Guidance

Identify endpoints where DAEMON Tools Lite 12.5.1 was installed or executed.
Review endpoint telemetry around installer execution windows for unexpected child processes or persistence artifacts.
Validate installed binaries against known-good vendor-provided replacements and remove unsupported affected versions.

Indicators of Compromise

Presence of DAEMON Tools Lite 12.5.1 installation packages or binaries in software inventories.
Endpoint events showing suspicious process behavior immediately after DAEMON Tools installer execution.
Unapproved modifications to DAEMON Tools installation paths or startup mechanisms following installation.

Disclosure Timeline

2026-05-05 — Vendor clean version noted

Vendor statement indicates release of DAEMON Tools Lite 12.6 without suspected compromised files.

2026-05-06 — Public incident disclosure

Daemon Tools published a security incident notice describing compromised release-state findings and package removal actions.

2026-05-27 — CISA KEV inclusion

CISA added CVE-2026-8398 to KEV with required action due by 2026-05-30.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-27
Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities JSON Feed — Cybersecurity and Infrastructure Security Agency, 2026-05-27
Daemon Tools: Security Incident Statement — Daemon Tools, 2026-05-06