CISA flags critical Daktronics controller firmware flaws

CISA's June 25 advisory is a firmware update story with teeth. Daktronics Controller Firmware for VFC-DMP-5000, DMP-5000, and DMP-8000 devices has three reported vulnerabilities: path traversal, unrestricted upload of dangerous file types, and hard-coded credentials. The affected versions are those below the 8.117.x.x, 9.43.x.x, and 10.34.x.x branches, depending on product configuration. Daktronics recommends updating to 8.117.0.x, 9.43.0.x, or 10.34.0.x and changing default passwords to strong, unique credentials per device.

The operational problem is the combination. CVE-2026-28701 can allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths, with a CVSS 4.0 score of 9.3 critical. CVE-2026-33560 exposes authenticated arbitrary file upload functionality in the DMP-5000 file service, accepting executable binaries and scripts without extension filtering or content inspection. CVE-2026-31928 covers default administrative web accounts that are not required to change during initial configuration or operation and can provide full system access. CISA's summary says successful exploitation could provide an unauthenticated user complete root-level access and control of the system.

That matters because these are not only back-office screens. CISA lists commercial facilities, information technology, emergency services, and healthcare and public health as affected critical infrastructure sectors, with deployment worldwide. Municipal IT and facilities teams should treat this as an internet-exposure and segmentation check, not merely a ticket to load vendor firmware at the next maintenance window. CISA says it has no reports of public exploitation targeting these vulnerabilities, which is useful, but it does not answer the harder questions: how many deployed controllers remain reachable, and how many still carry the default administrative account that made this advisory critical in the first place.