CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-28701

criticalCVSS 9.8covered by 2 sourcesfirst seen 2026-06-25
View CSAF Summary Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system. The following versions of Daktronics Controller Firmware are affected: VFC-DMP-5000 <v8.117.x.x VFC-DMP-5000 <v9.43.x.x VFC-DMP-5000 <v10.34.x.x DMP-5000 <v10.34.x.x DMP-5000 <v8.117.x.x DMP-5000 <v9.43.x.x DMP-8000 <v10.34.x.x DMP-8000 <v8.117.x.x DMP-8000 <v9.43.x.x CVSS Vendor Equipment Vulnerabilities v3 8.1 Daktronics Daktronics Controller Firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Commercial Facilities, Information Technology, Emergency Services, Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. View CVE Details Affected Products Daktronics Controller Firmware Vendor: Daktronics Product Version: Daktronics VFC-DMP-5000: <v8.117.x.x, Daktronics VFC-DMP-5000: <v9.43.x.x, Daktronics VFC-DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v10.34.x.x, Daktronics DMP-5000: <v8.117.x.x, Daktronics DMP-5000: <v9.43.x.x, Daktronics DMP-8000: <v10.34.x.x, Daktronics DMP-8000: <v8.117.x.x, Daktronics DMP-8000: <v9.43.x.x Product Status: known_affected Remediations Mitigation Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x Mitigation Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device. Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metr

CSIRTS triage

vendor: Daktronicsproduct: Controller FirmwarePrivilege escalationOtheraffected: VFC-DMP-5000 <v8.117.x.x, v9.43.x.x, v10.34.x.x; DMP-5000 <v10.34.x.x, v8.117.x.x, v9.43.x.x; DMP-8000 <v10.34.x.x, v8.117.x.x, v9.43.x.x
What
Vulnerabilities could provide unauthenticated users with root-level access.
Who is affected
Users of Daktronics Controller Firmware with the specified versions.
Urgency
Critical urgency due to the potential for complete system control.
Action
Update to the latest firmware version to address these vulnerabilities.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-28701

Get an email if CVE-2026-28701 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-28701

CVE.org record

Embed the live status

CVE-2026-28701 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-28701 status](https://www.csirts.com/badge/CVE-2026-28701)](https://www.csirts.com/cve/CVE-2026-28701)