Daktronics has released patches and has advised users to change default passwords.Thomas Jou, the security researcher credited with reporting the vulnerabilities, toldSecurityWeekthat he has identified multiple internet-exposed controllers, enabling hackers to exploit them remotely.However, Jou, an undergraduate at Princeton University, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet.The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device.“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
Thomas Jou, the security researcher credited with reporting the vulnerabilities, toldSecurityWeekthat he has identified multiple internet-exposed controllers, enabling hackers to exploit them remotely.However, Jou, an undergraduate at Princeton University, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet.The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device.“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
However, Jou, an undergraduate at Princeton University, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet.The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device.“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
The researcher said the impact of the vulnerabilities ranges from simple reconnaissance to full control of the device.“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
“The path traversal vulnerability allows reading files off the device, which is useful for recon and credential discovery. The devices also shipped with default administrator credentials that weren’t required to be changed, and field testing showed a majority of internet-exposed units were still using them. From there, the file-upload vulnerability could allow an attacker to push attacker-controlled content or code onto the device.In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”
In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”
In practical terms, an attacker could tamper with what the sign displays — loading false or malicious messages on billboards and roadway signage, or fake alerts — up to and including full compromise of the device (though in practice that last step is non-trivial).”
Jou said the vulnerability disclosure process was handled through CISA’s VINCE platform, and the vendor was very responsive.“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
“I reported the vulnerabilities through VINCE in early January 2026; they acknowledged the findings, worked through the technical details with me and CISA, and had patched firmware versions ready by around early March,” the researcher told SecurityWeek. “The remaining time before publication was largely coordinated advisory preparation and customer notification.”Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
Daktronics has not responded to SecurityWeek’s request for comment.Related:First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildRelated:Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningRelated:Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
Source: SecurityWeek
