Description
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Published: 2026-06-26
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Daktronics firmware exposes authenticated endpoints that allow users to upload files of any type without validation or content inspection. This flaw means an attacker with credentials can upload executable binaries or scripts, which the device writes directly to its filesystem, potentially enabling execution of malicious code and full compromise of the controller.

Affected Systems

The vulnerability affects Daktronics DMP-5000, DMP-8000, and VFC-DMP-5000 devices. The vendor recommends updating to firmware 8.117.0.x, 9.43.0.x, or 10.34.0.x depending on product configuration to remediate the issue.

Risk and Exploitability

With a CVSS score of 8. data is available, the lack of a KEV listing does not diminish the riskā€”an attacker who authenticates can upload malicious files any time the service is reachable. The primary attack vector requires valid credentials, making the vulnerability less exploitable than unauthenticated flaws but still critical due to the ability to execute arbitrary code once authenticated.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x

Vendor Workaround

Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.

OpenCVE Recommended Actions

  • Update the device firmware to one of the recommended versions provided by Daktronics (8.117.0.x, 9.43.0.x, or 10.34.0.x).
  • Change the default credentials and enforce strong, unique passwords for every device to eliminate credential reuse.
  • If file disable or restrict the upload endpoint to limit exposure.

Generated by OpenCVE AI on June 27, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Title Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-26T22:48:56.236Z

Reserved: 2026-03-30T20:11:42.801Z

Link: CVE-2026-33560

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T00:30:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type