CISA has added CVE‑2026‑8398 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns Daemon Tools Lite, a product of Daemon, and relates to the Daemon Tools Lite Embedded Malicious Code Vulnerability.
The vulnerability is described as an unspecified flaw in Daemon Tools that poses a high impact on confidentiality, integrity and availability. It carries a CVSS v3.1 score of 9.8, which is rated as CRITICAL. No patch or advisory has been made publicly available at this time.
Active exploitation has been confirmed, which is the basis for the KEV designation. There is no publicly known use of this flaw in ransomware campaigns. Federal civilian executive branch (FCEB) agencies must apply the required mitigations by the remediation due date of 2026‑05‑30.
CISA’s required action is: “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While this directive binds FCEB agencies, all organisations should review their exposure to Daemon Tools Lite and implement the advised steps if relevant.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-8398 and the CISA KEV catalogue.