{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dsspro-digital-signage-system-6.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2020-37228"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DSSPro Digital Signage System 6.2"],"_cs_severities":["critical"],"_cs_tags":["captcha-bypass","credential-access","brute-force"],"_cs_type":"advisory","_cs_vendors":["iDS6"],"content_html":"\u003cp\u003eiDS6 DSSPro Digital Signage System version 6.2 is vulnerable to a CAPTCHA security bypass, identified as CVE-2020-37228. This flaw allows unauthenticated attackers to circumvent the CAPTCHA mechanism by requesting the \u003ccode\u003eautoLoginVerifyCode\u003c/code\u003e object. By exploiting this vulnerability, attackers can retrieve valid CAPTCHA codes from the login endpoint and subsequently use them to conduct brute-force attacks against user accounts. The high CVSS score of 9.8 underscores the critical severity of this vulnerability, making it a significant risk for organizations using the affected digital signage system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an iDS6 DSSPro Digital Signage System 6.2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the login endpoint to retrieve the \u003ccode\u003eautoLoginVerifyCode\u003c/code\u003e object, bypassing the CAPTCHA.\u003c/li\u003e\n\u003cli\u003eThe system returns a valid CAPTCHA code to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved CAPTCHA code in a series of login attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker inputs a username and attempts various passwords, along with the valid CAPTCHA.\u003c/li\u003e\n\u003cli\u003eThe system validates the CAPTCHA code, allowing the brute-force attack to proceed.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully guesses a valid password for a user account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the iDS6 DSSPro Digital Signage System with the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2020-37228 allows attackers to bypass authentication mechanisms and gain unauthorized access to the iDS6 DSSPro Digital Signage System. This can lead to the compromise of sensitive information, disruption of digital signage operations, and potential further exploitation of the system. Given the high CVSS score, this poses a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or upgrades provided by iDS6 to address CVE-2020-37228 on DSSPro Digital Signage System 6.2.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on login attempts to mitigate brute-force attacks, in conjunction with the CAPTCHA bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect iDS6 DSSPro Captcha Bypass\u003c/code\u003e to monitor for suspicious requests to the login endpoint with the \u003ccode\u003eautoLoginVerifyCode\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eReview user account access and privileges, and enforce strong password policies to reduce the risk of successful brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:17:03Z","date_published":"2026-05-16T16:17:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ids6-dsspro-captcha-bypass/","summary":"iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability (CVE-2020-37228) that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object and performing brute-force attacks against user accounts.","title":"iDS6 DSSPro Digital Signage System CAPTCHA Bypass Vulnerability (CVE-2020-37228)","url":"https://feed.craftedsignal.io/briefs/2026-05-ids6-dsspro-captcha-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — DSSPro Digital Signage System 6.2","version":"https://jsonfeed.org/version/1.1"}