Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
Published
Key Takeaways
- Flaws Identified: Three vulnerabilities affect Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers.
- CISA Advisory: The flaws are documented in advisory ICSA-26-176-04 and include arbitrary file upload and full system access.
- Patches Released: Daktronics issued firmware fixes and urged customers to change default passwords.
Critical and high-severity vulnerabilities in several Daktronics controllers could allow attackers to tamper with highway signs and billboards, according to the researcher who discovered them. CISA warned that successful exploitation "could provide an unauthenticated user with complete root-level access and control of the system."
Daktronics, an American company, designs and manufactures large-scale LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems deployed worldwide, from sports arenas to highways and metropolitan billboards.
Three Vulnerabilities Affect Daktronics Controllers
An advisory published by CISA, tracked as ICSA-26-176-04, states that the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers are affected by three flaws. These are:
- CVE-2026-28701 – Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
- CVE-2026-33560 – The DMP-5000 file service exposes authenticated arbitrary file upload functionality. Exposed endpoints allow authenticated users to upload files of any type without validation.
- CVE-2026-31928 – DMP-5000 devices ship with a default administrative web account that has weak authentication controls and is not required to be changed during initial configuration or operation, providing full system access.
Thomas Jou, the security researcher credited with reporting the vulnerabilities and an undergraduate at Princeton University, identified multiple internet-exposed controllers that could be exploited remotely.
Disclosure Timeline and Patches
Jou reported the flaws through CISA's VINCE platform in early January 2026, with patched firmware versions ready by early March, noting that it is up to customers to ensure installations are not exposed to the internet. Daktronics has released patches and advised users to change default passwords.
In mid-June, a FIFA World Cup API authorization bug let anyone hijack the live TV stream. Last month, hackers mass-exploited a cPanel vulnerability that could have affected 550,000+ servers.
Last year, Hackers breached airport PA systems in Canada and the U.S., broadcasting political and anti-Israel messages.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular