CISA has published an ICS advisory detailing three vulnerabilities in Daktronics controller firmware affecting the VFC-DMP-5000, DMP-5000, and DMP-8000 product lines. Successful chaining of these flaws could allow an unauthenticated remote attacker to achieve complete root-level access to affected devices. The vulnerabilities were reported by Thomas Jou of Princeton University.

Affected Versions

All three device families are affected across three firmware branches: versions prior to v8.117.x.x, v9.43.x.x, and v10.34.x.x. Daktronics devices are deployed worldwide and are used in commercial facilities, information technology, emergency services, and healthcare environments.

Vulnerability Details

  • CVE-2026-28701 (Path Traversal, CWE-22): Authenticated and unauthenticated remote users can escape the intended directory and enumerate arbitrary file system paths. CVSS v4.0 scores this 9.3 (Critical), reflecting network-accessible exploitation with no privileges or user interaction required.
  • CVE-2026-33560 (Unrestricted File Upload, CWE-434): The DMP-5000 file service exposes endpoints that accept file uploads from authenticated users without any extension filtering or content inspection. Executable binaries and scripts can be written directly to the server. CVSS v4.0 rates this 8.4 (High).
  • CVE-2026-31928 (Hard-coded Credentials, CWE-798): Devices ship with a default administrative web account using weak credentials that are not required to be changed during initial setup. Exploiting this account provides full system access. CVSS v4.0 scores this 9.3 (Critical).

Remediation

Daktronics recommends updating firmware to one of the patched branches: 8.117.0.x, 9.43.0.x, or 10.34.0.x, depending on the product configuration in use. Operators should also replace default credentials with strong, unique passwords on each device immediately.

Mitigations

CISA advises minimizing network exposure for all affected controllers, placing devices behind firewalls, and isolating them from business networks. If remote access is necessary, a VPN should be used, kept up to date, and treated as only as secure as the endpoints it connects. Organizations should conduct a full risk assessment before applying defensive measures.