Description
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DMP-5000 devices ship with a default administrative web account that lacks strong authentication controls. The credentials are not required to be changed during initial configuration or operation. An attacker who logs in with these default credentials obtains full administrative privileges, enabling configuration changes, data manipulation, or other actions that compromise confidentiality, integrity, and availability of the system.

Affected Systems

Daktronics DMP‑5000, DMP‑8000, and VFC‑DMP‑5000 controllers. The vulnerability affects all firmware versions shipped before the patched releases. Daktronics recommends upgrading to firmware 8.117.0.x for DMP‑5000, 9.43.0.x for DMP‑8000, or 10.34.0.x for VFC‑DMP‑5000, depending on each device’s configuration.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Although EPSS is not available and there is no KEV listing, the vulnerability can still pose a significant risk. The likely attack vector is remote access to the web interface; the weakness is a‑798). If default passwords remain unchanged, an attacker can readily exploit the weakness, and the exploitation likelihood is high, especially in environments with internet‑accessible controllers.

Generated by OpenCVE AI on June 27, 2026 at 00:50 UTC.

Remediation

Vendor Solution

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x


Vendor Workaround

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.


OpenCVE Recommended Actions

  • Update device firmware to the recommended patched versions (8.117.0.x, 9.43.0.x, or 10.34.0.x) based on product configuration.
  • Immediately change the default administrative passwords to strong, unique values on each device.
  • Enforce network segmentation or firewall rules to restrict external access to the controllers’ web interfaces wherever possible.

Generated by OpenCVE AI on June 27, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Daktronics
Daktronics dmp-5000
Daktronics dmp-8000
Daktronics vfc-dmp-5000
Vendors & Products Daktronics
Daktronics dmp-5000
Daktronics dmp-8000
Daktronics vfc-dmp-5000

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Title Daktronics Controller Firmware Use of Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Daktronics Dmp-5000 Dmp-8000 Vfc-dmp-5000
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-29T13:56:54.725Z

Reserved: 2026-03-30T20:11:42.808Z

Link: CVE-2026-31928

cve-icon Vulnrichment

Updated: 2026-06-29T13:56:51.619Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:04Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials