CVE-2026-33560
7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Summary
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Daktronics | VFC-DMP-5000 | 0 < v8.117.x.x | affected |
| Daktronics | VFC-DMP-5000 | 0 < v9.43.x.x | affected |
| Daktronics | VFC-DMP-5000 | 0 < v10.34.x.x | affected |
| Daktronics | DMP-5000 | 0 < v10.34.x.x | affected |
| Daktronics | DMP-5000 | 0 < v8.117.x.x | affected |
| Daktronics | DMP-5000 | 0 < v9.43.x.x | affected |
| Daktronics | DMP-8000 | 0 < v10.34.x.x | affected |
| Daktronics | DMP-8000 | 0 < v8.117.x.x | affected |
| Daktronics | DMP-8000 | 0 < v9.43.x.x | affected |
Weaknesses
- CWE-434: CWE-434
Workarounds
Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-04.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.