Description
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Published: 2026-06-26
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Daktronics firmware exposes authenticated endpoints that allow users to upload files of any type without validation or content inspection. This flaw means an attacker with credentials can upload executable binaries or scripts, which the device writes directly to its filesystem, potentially enabling execution of malicious code and full compromise of the controller.

Affected Systems

The vulnerability affects Daktronics DMP-5000, DMP-8000, and VFC-DMP-5000 devices. The vendor recommends updating to firmware 8.117.0.x, 9.43.0.x, or 10.34.0.x depending on product configuration to remediate the issue.

Risk and Exploitability

With a CVSS score of 8. data is available, the lack of a KEV listing does not diminish the risk—an attacker who authenticates can upload malicious files any time the service is reachable. The primary attack vector requires valid credentials, making the vulnerability less exploitable than unauthenticated flaws but still critical due to the ability to execute arbitrary code once authenticated.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x


Vendor Workaround

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.


OpenCVE Recommended Actions

  • Update the device firmware to one of the recommended versions provided by Daktronics (8.117.0.x, 9.43.0.x, or 10.34.0.x).
  • Change the default credentials and enforce strong, unique passwords for every device to eliminate credential reuse.
  • If file disable or restrict the upload endpoint to limit exposure.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Daktronics
Daktronics dmp-5000
Daktronics dmp-8000
Daktronics vfc-dmp-5000
Vendors & Products Daktronics
Daktronics dmp-5000
Daktronics dmp-8000
Daktronics vfc-dmp-5000

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Title Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N'}


Subscriptions

Daktronics Dmp-5000 Dmp-8000 Vfc-dmp-5000
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-29T13:15:20.091Z

Reserved: 2026-03-30T20:11:42.801Z

Link: CVE-2026-33560

cve-icon Vulnrichment

Updated: 2026-06-29T13:15:16.552Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type