External risk intelligence

Supply Chain Attack on DAEMON Tools Lite Compromises Installation Packages

CVE advisoryKnown Exploit

CVE-2026-8398

Official DAEMON Tools Lite installation packages were compromised through a supply chain attack, embedding trojanized binaries signed with legitimate certificates. This allows malicious code to appear trustworthy, potentially leading to unauthorized system access and control when users install the affected software. It

1Halo Surface Signal

Disc Soft Daemon Tools

12.5.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-8398

The vulnerability affects a client-side desktop utility intended for installation on individual workstations. It is not a network-accessible service, public-facing gateway, or internet-exposed server. The attack surface is localized to the host machine where the software is installed and executed by a user, making it not inherently reachable from the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-8398

Yes

CVE-2026-8398 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Compromised installation packages for DAEMON Tools Lite could allow attackers to execute arbitrary code. This type of vulnerability can lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A supply chain attack compromised official DAEMON Tools Lite installation packages, allowing attackers to embed malicious code that was signed with legitimate certificates. This means that even though the software appears trustworthy, it may contain hidden threats.

  • Malicious code hidden in trusted software.
  • Supply chain attacks undermine trust in vendors.
  • Assess relevance and exposure of this software.

Attack Path

How an attacker could exploit the issue

An attacker could compromise users by trojanizing installation packages of a popular Windows utility. These malicious packages, digitally signed with a legitimate certificate, would appear trustworthy, allowing attackers to gain unauthorized access to build or distribution systems. This could lead to the installation of malicious code on user systems.

  • Requires access to vendor infrastructure.
  • Triggers when user installs trojanized package.
  • Leads to unauthorized code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, compromised installation packages for DAEMON Tools Lite could allow attackers to install trojanized binaries on user systems. These malicious files, signed with a legitimate certificate, may execute with elevated privileges, potentially affecting system integrity and confidentiality.

  • System files and installed software at risk.
  • Malicious installers executed by users.
  • Unauthorized system access and control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

In a real-world scenario, the Application Owners responsible for DAEMON Tools Lite deployments, in conjunction with Infrastructure and Security Teams, should prioritize identifying all affected systems. This initial step involves confirming the presence of the compromised software, assessing its reachability and business criticality, and then coordinating remediation efforts with the vendor based on the determined risk.

  • Application owners must manage the issue.
  • Verify software installation and user access.
  • Coordinate vendor remediation and user communication.

Frequently asked questions

What is DAEMON Tools Lite and its primary function?

DAEMON Tools Lite is a Windows software application designed to create virtual drives and mount disc images, such as ISO files. It allows users to run software or games that require a physical disc without needing the actual disc, and helps manage multiple disc images efficiently.

What type of vulnerability does CVE-2026-8398 describe?

CVE-2026-8398 describes a supply chain attack where attackers compromised the official installation packages of DAEMON Tools Lite. This led to malicious code being embedded in legitimate software installers, which were then signed with valid vendor certificates.

How does the supply chain attack on DAEMON Tools Lite exploit trust?

The attack exploits trust by embedding malicious code into DAEMON Tools Lite's official installation packages, which are then digitally signed with the legitimate vendor's code-signing certificate. This makes the trojanized installers appear authentic and trustworthy, helping them bypass security measures.

What is the significance of CVE-2026-8398 given the Halo Surface Signal assessment?

The Halo Surface Signal indicates that this vulnerability is 'Very unlikely' to be a widespread threat because it affects a client-side utility. The attack surface is limited to individual user workstations where the software is installed and executed, rather than network-accessible services.

What actions should be taken in response to the DAEMON Tools Lite compromise?

Application owners should identify all systems with the affected DAEMON Tools Lite versions. It is crucial to assess the software's reachability and business importance, and then coordinate remediation efforts with the vendor, potentially by applying vendor-provided patches or discontinuing use if no mitigations are available.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified