New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking
Critical controller flaws allow remote hacking of highway signs and billboards.
Summary
Three critical and high-severity vulnerabilities have been discovered in Daktronics controllers used for highway signs and billboards, potentially allowing remote attackers to gain root-level access. These flaws include path traversal, authenticated file upload, and the use of default administrator credentials. While Daktronics has released patches and advised users to change default passwords, the researcher noted that many internet-exposed units still use default credentials, making them vulnerable to tampering with displayed messages or even full system compromise.
Full text
Critical and high-severity vulnerabilities in some Daktronics controllers could allow hackers to tamper with highway signs and billboards, according to the cybersecurity researcher who discovered the flaws. Daktronics is an American company that designs, manufactures, and services large-scale LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems. Its displays can be seen worldwide, spanning everything from high school gymnasiums and professional sports arenas to highways, international airports, and metropolitan billboards. According to an advisory published by CISA last week, the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers, which control the company’s large-scale displays, are affected by three vulnerabilities. SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition The list includes a path traversal issue that can be exploited without authentication to enumerate arbitrary file system paths, an authenticated arbitrary file upload issue, and default admin credentials that provide full system access. “Successful exploitation of these vulnerabilities could provide an unauthenticated user with complete root-level access and control of the system,” CISA warned in its advisory.Advertisement. Scroll to continue reading. Daktronics has released patches and has advised users to change default passwords. Thomas Jou, the security researcher credited with reporting the vulnerabilities, told SecurityWeek that he has identified multiple internet-exposed controllers, enabling hackers to exploit them remotely. However, Jou, an undergraduate at Princeton University, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet. The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device. “The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device. In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).” Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive. “I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.” Daktronics has not responded to SecurityWeek’s request for comment. Related: First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild Related: Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories$3 Million Reportedly Stolen in Polymarket HackFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildCal Water Says No OT Systems Breached in Iranian Handala CyberattackLantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningCisco SD-WAN Zero-Day Exploited Months Before PatchingMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwaremacOS Weaknesses Chained to Silently Disable Endpoint Security Agents Latest News WhatsApp Rolling Out Username Feature to Bolster Phone Number PrivacyResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer MachinesStraiker Raises $64 Million for AI Security PlatformInsurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessOpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity ReviewUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email