Skip to main content

Dmp 5000

3 CVEs product

Monthly

CVE-2026-31928 CRITICAL CISA Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-33560 HIGH CISA Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-28701 CRITICAL CISA Emergency

Path traversal in Daktronics Controller Firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 display media players lets remote users break out of the intended directory and enumerate arbitrary file system paths, exposing the device's internal layout to attackers. Both authenticated and unauthenticated requests are accepted, and the flaw is reachable over the network with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, though the issue was reported through ICS-CERT and carries a CVSS 4.0 base score of 9.3.

Path Traversal Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.8%
EPSS 0% CVSS 9.3
CRITICAL Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Emergency

Path traversal in Daktronics Controller Firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 display media players lets remote users break out of the intended directory and enumerate arbitrary file system paths, exposing the device's internal layout to attackers. Both authenticated and unauthenticated requests are accepted, and the flaw is reachable over the network with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, though the issue was reported through ICS-CERT and carries a CVSS 4.0 base score of 9.3.

Path Traversal Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy