CVE-2026-33560 PUBLISHED

Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type

Assigner: icscert
Reserved: 30.03.2026 Published: 26.06.2026 Updated: 26.06.2026

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N
CVSS Score: 8.4

Product Status

Vendor Daktronics
Product VFC-DMP-5000
Versions Default: unaffected
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
  • affected from 0 to v10.34.x.x (excl.)
Vendor Daktronics
Product DMP-5000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)
Vendor Daktronics
Product DMP-8000
Versions Default: unaffected
  • affected from 0 to v10.34.x.x (excl.)
  • affected from 0 to v8.117.x.x (excl.)
  • affected from 0 to v9.43.x.x (excl.)

Workarounds

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.

Solutions

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x

Credits

  • Thomas Jou of Princeton University reported this vulnerability to CISA. finder

References

Problem Types

  • CWE-434 CWE