Daktronics Controller Flaws Allow Remote Hijacking of Highway Signs and Billboards
CISA warns of critical vulnerabilities in Daktronics controllers that could allow attackers to remotely manipulate highway signs and billboards, potentially displaying false information or taking full control of the devices.
CISA has issued a stern warning regarding three critical and high-severity vulnerabilities discovered in Daktronics controllers, devices that manage vast networks of highway signs and digital billboards. These flaws, if exploited, could grant attackers unauthorized remote access, enabling them to tamper with displayed content or even gain complete control over the affected systems.
Daktronics, a prominent American company, is known for its large-scale LED video displays, electronic scoreboards, and digital billboards found in diverse locations ranging from sports arenas to major highways and international airports. The vulnerabilities specifically affect the VFC-DMP-5000, DMP-5000, and DMP-8000 controller models, which are integral to the operation of these widespread display systems.
The identified vulnerabilities include a path traversal flaw that allows unauthenticated attackers to enumerate files on the device's file system, an authenticated arbitrary file upload vulnerability, and the presence of default administrator credentials that often remain unchanged. CISA highlighted that successful exploitation could lead to an unauthenticated user gaining root-level access and full control over the system.
Security researcher Thomas Jou, who discovered the flaws, noted that multiple internet-exposed controllers were identified, presenting a direct pathway for remote exploitation. While Daktronics has released patches and advised users to change default passwords, the responsibility for securing individual installations ultimately falls on the customers. Jou's research indicated that a significant number of internet-connected units were still utilizing the default credentials, increasing their susceptibility.
The potential impact ranges from the relatively benign act of reading sensitive files for reconnaissance to the more severe scenario of pushing malicious content or code onto the devices. In practical terms, this could mean displaying false or misleading messages on public signage, disseminating fake alerts, or, in the worst-case scenario, achieving full device compromise.
Daktronics has been responsive to the vulnerability disclosure process, which was managed through CISA's Vulnerability Identification and Notification Coordination Environment (VINCE) platform. Jou reported the issues in early January 2026, and the vendor had patched firmware versions ready by early March, with the subsequent period dedicated to advisory preparation and customer notification.
While Daktronics has not yet publicly commented on the advisory, the company's swift action in developing patches demonstrates a commitment to addressing the security concerns. The CISA advisory serves as a critical alert for all organizations utilizing Daktronics equipment, urging them to implement the necessary security measures, including updating firmware and ensuring default credentials are changed, to mitigate the risks posed by these vulnerabilities.
This incident underscores the ongoing security challenges within the operational technology (OT) sector, particularly for critical infrastructure like transportation systems. The ability for attackers to manipulate public displays could have far-reaching consequences, from causing public confusion and panic to potentially disrupting traffic flow or spreading misinformation.