CVE-2026-31928
published 2026-06-26CVE-2026-31928: The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during…
PriorityP358high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.45%
35.9th percentile
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| daktronics | dmp-5000 | < v10.34.x.x | v10.34.x.x |
| daktronics | dmp-5000 | < v8.117.x.x | v8.117.x.x |
| daktronics | dmp-5000 | < v9.43.x.x | v9.43.x.x |
| daktronics | dmp-8000 | < v10.34.x.x | v10.34.x.x |
| daktronics | dmp-8000 | < v8.117.x.x | v8.117.x.x |
| daktronics | dmp-8000 | < v9.43.x.x | v9.43.x.x |
| daktronics | vfc-dmp-5000 | < v8.117.x.x | v8.117.x.x |
| daktronics | vfc-dmp-5000 | < v9.43.x.x | v9.43.x.x |
| daktronics | vfc-dmp-5000 | < v10.34.x.x | v10.34.x.x |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Daktronics VFC-DMP-5000/DMP-5000/DMP-8000 prior 8.117.x.x/9.43.x.x/10.34.x.x hard-coded credentials (icsa-26-176-04 / EUVD-2026-39925)
vuldb·2026-06-27·CVSS 8.1
CVE-2026-31928 [HIGH] Daktronics VFC-DMP-5000/DMP-5000/DMP-8000 prior 8.117.x.x/9.43.x.x/10.34.x.x hard-coded credentials (icsa-26-176-04 / EUVD-2026-39925)
A vulnerability labeled as critical has been found in Daktronics VFC-DMP-5000, DMP-5000 and DMP-8000. This affects an unknown function. Such manipulation leads to hard-coded credentials.
This vulnerability is documented as CVE-2026-31928. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation.
ghsa_unreviewed·2026-06-27
CVE-2026-31928 [CRITICAL] CWE-798 The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation.
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published