Cybersecurity Blog | RedLegg

Security Bulletin: Daemon Tools Lite Embedded Malicious Code Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 5/28/26 5:25 PM

About:

CVE-2026-8398 is an embedded malicious code vulnerability affecting DAEMON Tools Lite for Windows.

The vulnerability is associated with a supply-chain compromise in which maliciously modified installation packages were distributed through legitimate vendor infrastructure.

Organizations and users who downloaded or installed affected versions may have been exposed to unauthorized code execution and additional malicious activity originating from trusted software packages.

This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Daemon Tools Lite Embedded Malicious Code Vulnerability

Identifier: CVE-2026-8398
PoC or Exploitation:   This vulnerability is actively exploited in the wild. CISA has added CVE-2026-8398 to the Known Exploited Vulnerabilities (KEV) catalog.
CVSS Score: 9.8 (Critical, CVSS v3.1)

 
 

Update / Patch: 

Affected versions include:
 
DAEMON Tools Lite for Windows versions 12.5.0.2421 through 12.5.0.2434
 
Vendor guidance indicates the latest release, DAEMON Tools Lite version 12.6.0.2445, no longer exhibits the malicious behavior associated with the incident.
 
Vendor advisory and incident guidance:
 

Description:

CVE-2026-8398 is an embedded malicious code vulnerability affecting DAEMON Tools Lite for Windows.
 
This vulnerability is associated with a supply-chain compromise in which maliciously modified installation packages were distributed through legitimate vendor infrastructure.
 
Organizations and users who downloaded or installed affected versions may have been exposed to unauthorized code execution and additional malicious activity originating from trusted software packages.

 

Mitigation Recommendation:

Immediately discontinue use of affected DAEMON Tools Lite versions and upgrade to version 12.6.0.2445 or later obtained from verified vendor sources.
 
Identify systems that downloaded or installed affected versions between April 8, 2026 and May 5, 2026.
 
Investigate potentially affected systems for indicators of compromise, suspicious persistence mechanisms, unauthorized scheduled tasks, abnormal startup entries, and unusual outbound network activity.
 
Consider rotating credentials and secrets that may have been exposed on systems where affected installers were executed.
 
Review endpoint detection and antivirus telemetry for suspicious activity associated with the compromised installation packages.

 
View full post