Daktronics Controller Firmware
View CSAF Summary Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system. The following versions of Daktronics Controller Firmware are affected: VFC-DMP-5000 <v8.117.x.x VFC-DMP-5000 <v9.43.x.x VFC-DMP-5000 <v10.34.x.x DMP-5000 <v10.34.x.x DMP-5000 <v8.117.x.x DMP-5000 <v9.43.x.x DMP-8000 <v10.34.x.x DMP-8000 <v8.117.x.x DMP-8000 <v9.43.x.x CVSS Vendor Equipment Vulnerabilities v3 8.1 Daktronics Daktronics Controller Firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Commercial Facilities, Information Technology, Emergency Services, Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. View CVE Details Affected Products Daktronics Controller Firmware Vendor: Daktronics Product Version: Daktronics VFC-DMP-5000: <v8.117.x.x, Daktronics VFC-DMP-5000: <v9.43.x.x, Daktronics VFC-DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v8.117.x.x, Daktronics DMP-5000: <v9.43.x.x, Daktronics DMP-8000: <v10.34.x.x, Daktronics DMP-8000: <v8.117.x.x, Daktronics DMP-8000: <v9.43.x.x Product Status: known_affected Remediations Mitigation Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x Mitigation Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device. Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metr
CSIRTS triage
- What
- Vulnerabilities could provide unauthenticated users with root-level access.
- Who is affected
- Users of Daktronics Controller Firmware with the specified versions.
- Urgency
- Critical urgency due to the potential for complete system control.
- Action
- Update to the latest firmware version to address these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Controller Firmware
Get an email when a new Controller Firmware advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-287010.70% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 49% of all scored CVEs.
- Low exploitation riskCVE-2026-335600.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2026-319280.57% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-28701 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-33560 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-31928 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- highCVE-2026-33560: The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are…nvd
- highCVE-2026-31928: The DMP-5000 devices are shipped with a default administrative web account with weak authentic…nvd
- criticalCVE-2026-28701: Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticat…nvd
Recent advisories for Daktronics Controller Firmware
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07