Critical Vulnerabilities in Daktronics Controller Firmware Expose Industrial Systems to Root-Level Takeover
A series of critical vulnerabilities discovered in **Daktronics Controller Firmware** could grant unauthenticated attackers complete root-level access and control over affected systems. These flaws, spanning path traversal, unrestricted file uploads, and hard-coded credentials, pose a significant risk to critical infrastructure sectors worldwide.
# Critical Flaws in Daktronics Firmware Allow Root-Level Access
**Daktronics**, a leading provider of large-format display systems, is urging users to update their controller firmware following the discovery of several severe vulnerabilities. Successful exploitation of these flaws could allow an unauthenticated attacker to achieve full root-level control over affected systems.
## Affected Systems and Scope
The vulnerabilities impact various versions of **Daktronics Controller Firmware**, specifically:
* **VFC-DMP-5000** versions prior to `v8.117.x.x`, `v9.43.x.x`, and `v10.34.x.x`
* **DMP-5000** versions prior to `v8.117.x.x`, `v9.43.x.x`, and `v10.34.x.x`
* **DMP-8000** versions prior to `v8.117.x.x`, `v9.43.x.x`, and `v10.34.x.x`
These systems are deployed globally across critical infrastructure sectors including Commercial Facilities, Information Technology, Emergency Services, and Healthcare and Public Health.
## The Vulnerabilities in Detail
Three distinct vulnerabilities collectively contribute to the high-risk scenario:
### **CVE-2026-28701**: Path Traversal
This flaw, categorized as **CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')**, allows both authenticated and unauthenticated remote users to escape the intended directory. Attackers could enumerate arbitrary file system paths, potentially gaining insight into system structure and sensitive files.
### **CVE-2026-33560**: Unrestricted File Upload
Identified as **CWE-434 Unrestricted Upload of File with Dangerous Type**, this vulnerability affects the **DMP-5000** file service. It exposes authenticated arbitrary file upload functionality without proper validation. Attackers can upload files of any type, including executable binaries and scripts, directly to the server, enabling remote code execution.
### **CVE-2026-31928**: Hard-coded Credentials
Falling under **CWE-798 Use of Hard-coded Credentials**, this vulnerability stems from **DMP-5000** devices being shipped with a default administrative web account that has weak authentication controls. Crucially, these credentials are not required to be changed during initial configuration or operation, providing full system access to anyone who knows them.
## Acknowledgment and Recommendations
The vulnerabilities were reported to **CISA** by **Thomas Jou** of **Princeton University**. While no public exploitation has been reported to **CISA** at this time, the severity of these flaws necessitates immediate action.
**CISA** strongly recommends that organizations implement the following defensive measures:
* **Minimize Network Exposure**: Ensure all control system devices and systems are not directly accessible from the internet.
* **Network Segmentation**: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
* **Secure Remote Access**: When remote access is necessary, utilize secure methods such as Virtual Private Networks (**VPNs**), ensuring VPNs are updated to the most current versions and recognizing their security is dependent on connected devices.
* **Impact Analysis**: Perform thorough impact analysis and risk assessment before deploying any defensive measures.
* **Adhere to Best Practices**: Review and implement recommended cybersecurity strategies for proactive defense of Industrial Control Systems (**ICS**) assets, including defense-in-depth strategies.
Organizations observing any suspected malicious activity are encouraged to follow established internal procedures and report findings to **CISA**.