Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-8398 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8398 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-8398 is a supply chain compromise affecting official installation packages of DAEMON Tools Lite for Windows, specifically versions 12.5.0.2421 through 12.5.0.2434, distributed via the legitimate vendor website daemon-tools.cc.

Technical Detail

Attackers tampered with the official DAEMON Tools Lite installer packages hosted on daemon-tools.cc, embedding malicious code within otherwise legitimate, signed distribution artifacts. Any user who downloaded and executed an affected installer version between 12.5.0.2421 and 12.5.0.2434 would have run attacker-controlled code with the privileges granted to the installation process, which on Windows typically includes elevated or administrative rights. The full payload behavior has not been publicly confirmed at this time, but supply chain compromises of this type commonly result in remote code execution, persistent backdoor installation, or credential harvesting on affected endpoints.

Exploitation Status

No known exploit has been independently documented or confirmed as of May 22, 2026, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, the nature of a supply chain compromise means exploitation is inherently passive from the victim's perspective: any user who installed the affected packages during the distribution window was exposed without requiring any additional attacker interaction. The window of exposure is defined by the period those trojanized packages were available for download.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No named groups, campaigns, or targeted sectors have been formally associated with this supply chain compromise in available intelligence. Organizations should treat the absence of attribution as a data gap rather than an indicator of low risk, given the broad consumer and professional user base of DAEMON Tools Lite.

What To Do

Any system on which DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 was installed should be treated as potentially compromised and subjected to forensic review, including examination of persistence mechanisms, scheduled tasks, new user accounts, and outbound network connections established around the time of installation. Affected installations should be removed immediately and replaced with a verified clean version obtained directly from the vendor after confirming the current packages are uncompromised. Organizations should audit download logs, software inventory systems, and endpoint detection telemetry to identify all hosts where the affected versions were deployed. If the vendor has issued a remediated installer, verify its integrity via published hash values before deployment. Given the elevated privilege context of Windows installers, assume any affected host may require full reimaging depending on forensic findings.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →