Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable file service with low-complexity upload but requiring low-privilege authentication (PR:L); arbitrary writes give high integrity impact, limited confidentiality, no direct availability loss.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
AnalysisAI
Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network access to the DMP-5000/VFC-DMP-5000/DMP-8000 file service and (2) valid authentication at low privilege (CVSS PR:L) - it is not unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privilege credentials to a network-reachable DMP-5000 file service uploads a malicious script or binary to an exposed endpoint that performs no extension or content validation. If that upload location is executable or later served, the attacker leverages it to run arbitrary code on the OT media controller, tampering with displayed content or pivoting within the operational network. … |
| Remediation | Apply the Daktronics-recommended remediation documented in CISA advisory ICSA-26-176-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04) and the CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-04.json); no exact fixed version is provided in the available data, so verify the patched build directly from the vendor before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 devices and document current firmware versions; disable or restrict access to file upload functions where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Vfc Dmp 5000
View allPath traversal in Daktronics Controller Firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 display media players lets
Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant fu
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39924
GHSA-j595-prhp-3r49