CVE-2026-33560
Analyzed
Analyzed - Analysis Complete
Authenticated Arbitrary File Upload in DMP-5000 File Service
Vulnerability report for CVE-2026-33560, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-26
Last updated on: 2026-07-06
Assigner: ICS-CERT
Description
Description
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| daktronics | dmp-5000_firmware | to 8.117.0.0 (exc) |
| daktronics | dmp-5000_firmware | From 10.0.0.0 (inc) to 10.34.0.0 (exc) |
| daktronics | dmp-5000_firmware | From 9.0.0.0 (inc) to 9.43.0.0 (exc) |
| daktronics | dmp-8000_firmware | to 8.117.0.0 (exc) |
| daktronics | dmp-8000_firmware | From 10.0.0.0 (inc) to 10.34.0.0 (exc) |
| daktronics | dmp-8000_firmware | From 9.0.0.0 (inc) to 9.43.0.0 (exc) |
| daktronics | vfc-dmp-5000_firmware | to 8.117.0.0 (exc) |
| daktronics | vfc-dmp-5000_firmware | From 10.0.0.0 (inc) to 10.34.0.0 (exc) |
| daktronics | vfc-dmp-5000_firmware | From 9.0.0.0 (inc) to 9.43.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |