CVE-2026-28701 PUBLISHED

Daktronics Controller Firmware Path Traversal

Assigner: icscert
Reserved: 30.03.2026 Published: 26.06.2026 Updated: 26.06.2026

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Daktronics
Product VFC-DMP-5000
Versions Default: unaffected
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
  • affected from 0 to v10.34.x.x (excl.)
Vendor Daktronics
Product DMP-5000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
Vendor Daktronics
Product DMP-8000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)

Workarounds

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.

Solutions

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x

Credits

  • Thomas Jou of Princeton University reported this vulnerability to CISA. finder

References

Problem Types

  • CWE-22 CWE