CISA has warned that several Daktronics display-controller firmware versions contain vulnerabilities that could put public-facing digital signs, billboards, and other large display systems at risk if operators leave the devices exposed or running with weak default setup choices.
The June 25 industrial control systems advisory covers Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers. CISA says affected firmware can allow path traversal, authenticated arbitrary file upload, and use of hard-coded or default credentials. Taken together, the agency warns, successful exploitation could give an unauthenticated user root-level access and control of a system.
The issue became more visible on June 30 after SecurityWeek reported that the researcher credited with finding the flaws, Princeton undergraduate Thomas Jou, had identified multiple internet-exposed controllers. The report does not mean every Daktronics sign is exposed, but it sharpens the operational problem: these systems are often treated like display appliances even though they sit on networks, accept remote management, and can affect public information.
What Is Affected
The advisory lists vulnerable versions of controller firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 product families. The affected lines include versions below the fixed 8.117.x.x, 9.43.x.x, and 10.34.x.x branches, depending on the product configuration in use.
The three tracked flaws are CVE-2026-28701, a path traversal issue that can let remote users enumerate file-system paths; CVE-2026-33560, an authenticated file-upload weakness where dangerous file types are not properly blocked; and CVE-2026-31928, a default administrative credential issue that can provide full system access when the account has not been changed.
Daktronics recommends updating device software to the relevant fixed firmware branch and changing default passwords. That second step matters because a firmware update alone may not repair an exposed management habit. If a controller was installed with default credentials and reachable from outside a trusted network, the owner should treat the update as part of a broader exposure review.
Why Display Controllers Deserve Attention
Daktronics is best known for large LED scoreboards, message displays, digital billboards, venue screens, and transportation displays. Its own product pages describe software that lets operators create, schedule, monitor, and remotely manage display content across networks. For ordinary business use, that remote management is a feature. In a security incident, it becomes an access path that may control what thousands of people see in public.
The risk is not limited to prank messages on a roadside screen. Digital signs can carry emergency alerts, wayfinding, transit information, airport or venue instructions, hospital notices, election information, advertising schedules, or operational status messages. A compromised controller could create misinformation, disrupt service, damage a brand, or give an attacker a foothold into a poorly segmented network.
The advisory names commercial facilities, information technology, emergency services, and healthcare and public health as relevant sectors. That mix is a reminder that display systems are often owned outside the central IT or security organization. Marketing teams, facilities departments, transportation contractors, venue operators, and managed service providers may all have some role in purchasing, configuring, or maintaining them.
What Operators Should Check First
The first step is inventory. Organizations should identify whether they operate Daktronics VFC-DMP-5000, DMP-5000, or DMP-8000 controllers and record the exact firmware branch. That inventory should include systems installed at branch offices, stadiums, parking facilities, lobbies, clinics, campuses, transit sites, and contractor-managed advertising networks, not just equipment sitting in a data center.
Next, operators should check whether management services are reachable from the public internet. CISA’s recurring guidance for industrial control systems is to keep control-system devices off the open internet, isolate them from business networks, and place remote access behind properly secured VPNs. For sign controllers, that means reviewing firewall rules, NAT mappings, cloud access paths, vendor support tunnels, and any temporary exposure created during installation or troubleshooting.
Password review should be treated as urgent. Default administrative credentials, shared installer passwords, and old vendor-support accounts are common weak points in equipment that lives for years after deployment. Owners should rotate default passwords, use unique credentials per device or site, remove stale accounts, and make sure any vendor or contractor access has an accountable owner.
Patch planning should follow the device’s operational role. A billboard or lobby display can often be scheduled for maintenance with little public risk. A dynamic message sign, hospital information display, or emergency-notification screen may need a rollback plan, maintenance window, and confirmation that safety-critical messaging continues through another channel while the controller is updated.
What To Look For After Exposure
Organizations that find an exposed controller should not stop at closing the firewall rule. They should review authentication logs, recent content changes, file uploads, scheduled messages, new accounts, configuration exports, and unexpected binaries or scripts. If logs are thin, teams can still compare current display playlists, firmware state, user lists, and remote-access settings against known-good records.
Segmentation is the longer-term fix. Display controllers should not share broad trust with point-of-sale systems, hospital records, municipal operations tools, building-management systems, or ordinary employee workstations. A sign controller is a computer with a public-facing job; it should be managed like one, with limited network reach, monitored access, and a clear owner responsible for updates.
The Daktronics advisory is not the largest vulnerability story of the week, but it is a useful one because it exposes a blind spot. Public screens are now part of the connected infrastructure layer. When they are misconfigured, forgotten, or left with default credentials, the risk moves from the server room into the physical spaces where people read instructions and make decisions.
