Source linked

CISA Warns: Daktronics Scoreboard Firmware Ships with Hardcoded Root Credentials

cisa.gov@threat_watch3 hours ago·Cybersecurity·3 comments

Two of three disclosed vulnerabilities in Daktronics controller firmware score CVSS v4 9.3, letting unauthenticated attackers grab root-level control over global display systems

daktronicsindustrial control systemscisafirmware vulnerabilityhardcoded credentialspath traversal

Three vulnerabilities in Daktronics controller firmware—one carrying a CVSS v4 score of 9.3—let an unauthenticated attacker gain root-level access and full control of scoreboards and other display systems deployed worldwide. CISA published the advisory on June 25, crediting Thomas Jou of Princeton University for the findings.

Hardcoded Credentials Open the Door

CVE-2026-31928 is the ugliest: DMP-5000 units ship with a default administrative web account that doesn't require a password change during initial setup. The advisory explicitly states these accounts provide full system access. CVSS v4 clocks it at 9.3 Critical—network-attackable, low complexity, no privileges required. That’s not a vulnerability; that’s a backdoor left in by design.

Path Traversal and Unrestricted File Upload Follow

CVE-2026-28701 affects the same family (VFC-DMP-5000, DMP-5000, DMP-8000). Authenticated and unauthenticated remote users can escape the intended directory and walk any file system path. CVSS v4: another 9.3 Critical. Pair that with CVE-2026-33560, where the DMP-5000 file service exposes endpoints that accept executable binaries and scripts without any extension filtering or content inspection. CVSS v4 for that one: 8.4 High. An attacker who lands a file onto the server can execute arbitrary code.

Mitigation: Three Firmware Branches and a Password Change

Daktronics’ official fix pushes three firmware branches depending on the product configuration: 8.117.0.x, 9.43.0.x, or 10.34.0.x. The advisory also recommends updating default passwords and using strong, unique credentials per device. That second step should not be optional—if you haven’t changed the default admin password on a Daktronics controller, your scoreboard is a node waiting for a shell.

CISA notes no known public exploitation yet. With scoreboards in stadiums, emergency services, and healthcare facilities running this firmware, Daktronics’ update cycle—now pulling three distinct firmware branches—needs to be fast-tracked; otherwise, those displays become attack surfaces rather than scoreboards.

Source: Daktronics Controller Firmware
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Anonymous Hacker Dumps 30 Zero-Day PoCs for 7-Zip, Ghidra, Firefox, Docker

An anonymous GitHub account has published 30 proof-of-concept exploits for undisclosed vulnerabilities across major software, none reported to vendors before the drop.

Anthropic's Mythos Found Hundreds of Bugs at $20K Each

Anthropic's Claude Mythos model costs $20,000 per vulnerability found, and alternative models like DeepSeek and Gemma 4 already find half as many at a fraction of the price.

Claude Code Falls for a Clean Repo That Drops a Reverse Shell

No exploit code, no warning, no suspicious command. A DNS TXT record three indirection steps away from what Claude Code evaluated gives the attacker a shell with the developer's privileges.

Polymarket's $3.1M Hack From a Compromised Vendor Triggers Full Refund Pledge

Hackers drained $3.1 million in PUSD from 11 Polymarket wallets via a malicious script injected through a compromised third-party vendor. The platform pledged full refunds to affected users.

Comments load interactively on the live page.