What happened
CISA published an advisory warning organizations about three vulnerabilities affecting Daktronics controllers used to operate large-scale displays.
Daktronics is a U.S. company that makes large LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems. Its displays are used in locations such as high school gyms, professional sports arenas, highways, international airports, and metropolitan billboard networks.
The affected products are Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers. These devices control large-scale displays, including highway signs and billboards.
The vulnerabilities include an unauthenticated path traversal issue, an authenticated arbitrary file upload issue, and default administrator credentials that provide full system access.
CISA warned that successful exploitation could give an unauthenticated attacker complete root-level access and control of an affected system.
Daktronics has released patches and advised users to change default passwords.
Security researcher Thomas Jou, who discovered and reported the flaws, said he identified multiple internet-exposed controllers that could be exploited remotely. He said it is up to Daktronics customers, rather than the vendor, to ensure their installations are not exposed to the internet.
Jou said the impact ranges from reconnaissance to full device control. The path traversal vulnerability could allow attackers to read files from the device, which may support reconnaissance and credential discovery. If default administrator credentials are still in use, attackers could then use the file upload vulnerability to place attacker-controlled content or code on the device.
In practical terms, an attacker could tamper with what a sign displays, including false messages on billboards, fake roadway alerts, or other unauthorized content. Full compromise may also be possible, though the researcher noted that this would be more complex in practice.
Jou reported the vulnerabilities through CISA’s VINCE platform in early January 2026. Daktronics acknowledged the findings, worked through technical details with Jou and CISA, and had patched firmware versions ready by around early March. The remaining time before public disclosure was used for coordinated advisory preparation and customer notification.
Who is affected
Organizations using Daktronics VFC-DMP-5000, DMP-5000, or DMP-8000 controllers are affected.
The risk is highest for customers with internet-exposed controllers, unchanged default administrator credentials, or unpatched firmware.
Transportation agencies, billboard operators, airports, sports venues, schools, municipalities, and organizations operating public-facing digital signage should review their exposure.
The practical impact could include unauthorized changes to highway signs, billboards, scoreboards, public displays, or other Daktronics-controlled signage.
Why CISOs should care
This incident highlights how physical-world display systems can become cyber risk points when controllers are exposed online or left with default credentials.
For CISOs, the most important concern is integrity. A compromised display controller may not expose large amounts of sensitive data, but it can allow attackers to manipulate public messages, create confusion, damage trust, or display false information in public spaces.
The highway sign and billboard context also makes the risk more visible than many traditional IT issues. Unauthorized messages on public infrastructure can create reputational, safety, operational, and public confidence consequences.
The case also reinforces a familiar OT and IoT security lesson: connected controllers should not be internet-exposed, default credentials should never remain active, and patching responsibility often sits with asset owners after vendors release fixes.
3 practical actions
- Patch affected Daktronics controllers: Daktronics has released patched firmware for the affected VFC-DMP-5000, DMP-5000, and DMP-8000 controllers. CISOs should identify deployed units and confirm firmware updates have been applied.
- Remove internet exposure and change default credentials: The researcher identified multiple internet-exposed controllers, and default administrator credentials can provide full system access. Security teams should restrict controller access to trusted networks and replace default passwords immediately.
- Monitor signage controllers for unauthorized changes: Attackers could tamper with billboard or roadway sign content. Organizations should review logs, configuration changes, file uploads, display schedules, and unexpected content changes across digital signage environments.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.