CISA Warns of Critical Vulnerabilities in Daktronics Controller Firmware Allowing Root-Level Takeover
CISA disclosed three vulnerabilities in Daktronics Controller Firmware that could let unauthenticated attackers gain root-level control of digital display controllers used worldwide.
CISA released an advisory (ICSA-26-176-04) detailing multiple vulnerabilities in Daktronics Controller Firmware for VFC-DMP-5000, DMP-5000, and DMP-8000 models. The flaws include CVE-2026-28701 (path traversal), CVE-2026-33560 (unrestricted file upload), and CVE-2026-31928 (hard-coded credentials). Successful exploitation could allow an unauthenticated attacker to gain root-level control of affected systems, which are deployed across commercial facilities, information technology, emergency services, and healthcare sectors worldwide.
The most severe vulnerability, CVE-2026-31928, involves hard-coded administrative credentials shipped with DMP-5000 devices. These default accounts are not required to be changed during initial configuration or operation, giving attackers full system access if they discover the credentials. The flaw carries a CVSS v4.0 score of 9.3 (Critical) under the network attack vector, meaning remote exploitation is possible without user interaction.
CVE-2026-28701 is a path traversal vulnerability that allows both authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. This could enable attackers to read sensitive configuration files or system data. The flaw is rated 9.3 Critical under CVSS v4.0 when exploited over the network.
CVE-2026-33560 involves unrestricted file upload in the DMP-5000 file service. Authenticated users can upload files of any type without validation, including executable binaries and scripts that can be written directly to the server. This could allow attackers to deploy malware or backdoors on the controller. The vulnerability is rated 8.4 High under CVSS v4.0.
The vulnerabilities were reported to CISA by Thomas Jou of Princeton University. Daktronics recommends users update their device software to versions 8.117.0.x, 9.43.0.x, or 10.34.0.x, depending on the product configuration. The company also advises changing default passwords and using strong, unique credentials per device.
CISA urges organizations to minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as VPNs should be used, though organizations should recognize that VPNs may have vulnerabilities and should be kept updated.
Daktronics controllers are used worldwide in digital signage for stadiums, transportation hubs, and public information displays. The broad deployment across critical infrastructure sectors makes these vulnerabilities particularly concerning, as successful exploitation could allow attackers to manipulate displayed content, disrupt operations, or use compromised controllers as entry points into broader networks.