CVE-2026-31928 PUBLISHED

Daktronics Controller Firmware Use of Hard-coded Credentials

Assigner: icscert
Reserved: 30.03.2026 Published: 26.06.2026 Updated: 26.06.2026

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CVSS Score: 9.3

Product Status

Vendor Daktronics
Product VFC-DMP-5000
Versions Default: unaffected
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
  • affected from 0 to v10.34.x.x (excl.)
Vendor Daktronics
Product DMP-5000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
Vendor Daktronics
Product DMP-8000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)

Workarounds

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.

Solutions

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x

Credits

  • Thomas Jou of Princeton University reported this vulnerability to CISA. finder

References

Problem Types

  • CWE-798 CWE