Critical and high-severity vulnerabilities in some Daktronics controllers could allow hackers to tamper with highway signs and billboards, according to the cybersecurity researcher who discovered the flaws.
Daktronics is an American company that designs, manufactures, and services large-scale LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems. Its displays can be seen worldwide, spanning everything from high school gymnasiums and professional sports arenas to highways, international airports, and metropolitan billboards.
According to an advisory published by CISA last week, the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers, which control the company’s large-scale displays, are affected by three vulnerabilities.
SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition
The list includes a path traversal issue that can be exploited without authentication to enumerate arbitrary file system paths, an authenticated arbitrary file upload issue, and default admin credentials that provide full system access.
“Successful exploitation of these vulnerabilities could provide an unauthenticated user with complete root-level access and control of the system,” CISA warned in its advisory.
Daktronics has released patches and has advised users to change default passwords.
Thomas Jou, the security researcher credited with reporting the vulnerabilities, told SecurityWeek that he has identified multiple internet-exposed controllers, enabling hackers to exploit them remotely.
However, Jou, an undergraduate at Princeton University, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet.
The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device.
“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.
In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”
Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.
“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”
Daktronics has not responded to SecurityWeek’s request for comment.
Related: First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild
Related: Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning
Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack