A critical directory traversal vulnerability in Daktronics VFC-DMP-5000 firmware allows both authenticated and unauthenticated remote attackers to enumerate sensitive file system paths.

The firmware fails to properly sanitize input, enabling a directory traversal attack that permits remote actors (regardless of authentication status) to traverse the file system and access restricted directory structures.

The CVSS score of 9.8 reflects the high risk of information disclosure and potential system compromise. By enumerating the file system, an attacker can identify configuration files, credentials, or sensitive system data, significantly increasing the risk of a full system takeover or further targeted attacks against the facility's infrastructure.

Immediate Action: Update the VFC-DMP-5000 firmware to the latest available version provided by Daktronics.

Proactive Monitoring: Review system access logs for anomalous directory traversal patterns (e.g., "../" sequences) and unauthorized file access attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) or Network Intrusion Detection System (NIDS) to identify and block traffic containing directory traversal characters.

Public Exploit Available: Not specified

This vulnerability is highly critical due to the lack of required authentication for exploitation. Administrators must apply the latest firmware updates as soon as possible to prevent unauthorized access to the underlying file system and potential exfiltration of configuration data.