CISA published an advisory disclosing three vulnerabilities in Daktronics LED display controllers used in highway signage, roadside message boards, stadium scoreboards, and large outdoor billboards — any one of which gives a remote attacker root-level control over what the signs display.
Path Traversal, File Upload, and Default Credentials in Daktronics VFC-DMP
The advisory covers three Daktronics controller models: the VFC-DMP-5000, DMP-5000, and DMP-8000. These devices manage the content displayed on large LED installations in public infrastructure and commercial settings. The vulnerabilities discovered affect all three models and represent different attack entry points, but each leads to the same outcome: complete control of the display system.
The consequences of that control are direct and public-facing. An attacker who gains root access to a Daktronics controller can tamper with sign content, loading false or malicious messages onto highway displays, roadway signs, or large-format outdoor billboards. CISA’s advisory explicitly describes the exploitation impact as allowing attackers to “tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts.” A threat actor with that access could flash false emergency alerts on a highway, redirect traffic using incorrect lane guidance, or display malicious content to thousands of people simultaneously in a public space.
Unauthenticated Path Traversal and File Upload in DMP-5000 and DMP-8000
The first of the three vulnerabilities is an unauthenticated path traversal condition that allows a remote attacker to read and write files on the device without presenting any credentials. Path traversal on an embedded controller of this type provides access to configuration files, firmware components, and operational data that govern what the sign displays and how it is managed.
The second vulnerability is an authenticated arbitrary file upload flaw. An attacker who has authenticated to the device — including through the third vulnerability described below — can upload arbitrary files to the controller, providing a mechanism to deploy malicious content or replacement firmware.
The third vulnerability is the most straightforward: default administrator credentials that provide full system access. Devices shipped with and retaining default credentials require no exploitation of software bugs — an attacker simply logs in using the documented factory defaults. At the time of discovery, internet-exposed Daktronics controllers were confirmed to be reachable from the public internet. Any device retaining default credentials was accessible to any attacker with knowledge of those defaults.
Princeton Researcher Thomas Jou Reported the Flaws Through CISA VINCE
The three vulnerabilities were discovered by Thomas Jou, an undergraduate student at Princeton University, in January 2026. Jou reported the findings through CISA’s VINCE vulnerability coordination platform. Daktronics responded to the disclosure by releasing patched firmware in March 2026. CISA delayed public disclosure of the advisory to allow time for the patches to be distributed and deployed before attackers had public details of the flaws.
The CISA VINCE disclosure model — responsible reporting through a government coordination platform, followed by a vendor patch, followed by a public advisory — functioned as intended in this case. The delay between Jou’s January discovery and the June advisory gave Daktronics time to develop and distribute fixes before organizations running the affected controllers faced a public disclosure event.
Remote Public Infrastructure Risk and the Patch Urgency for Sign Operators
Highway signage is a category of critical public infrastructure where incorrect information carries direct physical risk. A highway sign that displays false emergency alerts or incorrect lane closures during high-traffic conditions can cause accidents or obstruct emergency response. Unlike a software vulnerability in an enterprise application, exploiting a sign controller vulnerability produces an effect that is visible to the public and that may not be immediately traceable to a cyberattack by drivers or emergency responders.
Operators of Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers should confirm that patched firmware released in March 2026 has been applied. Organizations should also change any default administrator credentials that were not modified from factory settings, particularly on any device that was internet-accessible before the patch was deployed.
