Impact
The DMP-5000 devices ship with a default administrative web account that lacks strong authentication controls. The credentials are not required to be changed during initial configuration or operation. An attacker who logs in with these default credentials obtains full administrative privileges, enabling configuration changes, data manipulation, or other actions that compromise confidentiality, integrity, and availability of the system.
Affected Systems
Daktronics DMP‑5000, DMP‑8000, and VFC‑DMP‑5000 controllers. The vulnerability affects all firmware versions shipped before the patched releases. Daktronics recommends upgrading to firmware 8.117.0.x for DMP‑5000, 9.43.0.x for DMP‑8000, or 10.34.0.x for VFC‑DMP‑5000, depending on each device’s configuration.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity. Although EPSS is not available and there is no KEV listing, the vulnerability can still pose a significant risk. The likely attack vector is remote access to the web interface; the weakness is a‑798). If default passwords remain unchanged, an attacker can readily exploit the weakness, and the exploitation likelihood is high, especially in environments with internet‑accessible controllers.
OpenCVE Enrichment