Daktronics Controller Firmware

// Description

Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system.

// Vulnerabilities (3)

CVE ID	CVSS Score	Severity	Description
CVE-2026-31928	8.1	high	The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
CVE-2026-28701	7.7	high	Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
CVE-2026-33560	7.1	high	The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.

// Remediations (2)

Mitigation: Daktronics recommends updating the default passwords and encourages using strong, unique credentials

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.

Mitigation: Daktronics recommends users update their device software to one of the following versions (based on

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x

// Description

// Vulnerabilities (3)

// Remediations (2)

// References