CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Daktronics Controller Firmware

criticalCVE-2026-28701CVE-2026-33560CVE-2026-31928
View CSAF Summary Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system. The following versions of Daktronics Controller Firmware are affected: VFC-DMP-5000 <v8.117.x.x VFC-DMP-5000 <v9.43.x.x VFC-DMP-5000 <v10.34.x.x DMP-5000 <v10.34.x.x DMP-5000 <v8.117.x.x DMP-5000 <v9.43.x.x DMP-8000 <v10.34.x.x DMP-8000 <v8.117.x.x DMP-8000 <v9.43.x.x CVSS Vendor Equipment Vulnerabilities v3 8.1 Daktronics Daktronics Controller Firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Commercial Facilities, Information Technology, Emergency Services, Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. View CVE Details Affected Products Daktronics Controller Firmware Vendor: Daktronics Product Version: Daktronics VFC-DMP-5000: <v8.117.x.x, Daktronics VFC-DMP-5000: <v9.43.x.x, Daktronics VFC-DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v8.117.x.x, Daktronics DMP-5000: <v9.43.x.x, Daktronics DMP-8000: <v10.34.x.x, Daktronics DMP-8000: <v8.117.x.x, Daktronics DMP-8000: <v9.43.x.x Product Status: known_affected Remediations Mitigation Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x Mitigation Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device. Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metr

CSIRTS triage

vendor: Daktronicsproduct: Controller FirmwarePrivilege escalationOtheraffected: VFC-DMP-5000 <v8.117.x.x, v9.43.x.x, v10.34.x.x; DMP-5000 <v10.34.x.x, v8.117.x.x, v9.43.x.x; DMP-8000 <v10.34.x.x, v8.117.x.x, v9.43.x.x
What
Vulnerabilities could provide unauthenticated users with root-level access.
Who is affected
Users of Daktronics Controller Firmware with the specified versions.
Urgency
Critical urgency due to the potential for complete system control.
Action
Update to the latest firmware version to address these vulnerabilities.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Controller Firmware

Get an email when a new Controller Firmware advisory drops — max one per day, one-click unsubscribe.

Details

Source
CISA Cybersecurity Advisories (US · national-cert · site)
Severity
critical
Published
2026-06-25
Exploitation
Not in CISA KEV at last sync

Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-28701coverage & exploitation statusNVD · CVE.org
CVE-2026-33560coverage & exploitation statusNVD · CVE.org
CVE-2026-31928coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for Daktronics Controller Firmware

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from CISA Cybersecurity Advisories