DSSPro Digital Signage System 6.2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/dsspro-digital-signage-system-6.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 16 May 2026 16:17:03 +0000iDS6 DSSPro Digital Signage System CAPTCHA Bypass Vulnerability (CVE-2020-37228)https://feed.craftedsignal.io/briefs/2026-05-ids6-dsspro-captcha-bypass/Sat, 16 May 2026 16:17:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-ids6-dsspro-captcha-bypass/iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability (CVE-2020-37228) that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object and performing brute-force attacks against user accounts.iDS6 DSSPro Digital Signage System version 6.2 is vulnerable to a CAPTCHA security bypass, identified as CVE-2020-37228. This flaw allows unauthenticated attackers to circumvent the CAPTCHA mechanism by requesting the autoLoginVerifyCode object. By exploiting this vulnerability, attackers can retrieve valid CAPTCHA codes from the login endpoint and subsequently use them to conduct brute-force attacks against user accounts. The high CVSS score of 9.8 underscores the critical severity of this vulnerability, making it a significant risk for organizations using the affected digital signage system.

Attack Chain

  1. The attacker identifies an iDS6 DSSPro Digital Signage System 6.2 instance.
  2. The attacker sends a request to the login endpoint to retrieve the autoLoginVerifyCode object, bypassing the CAPTCHA.
  3. The system returns a valid CAPTCHA code to the attacker.
  4. The attacker uses the retrieved CAPTCHA code in a series of login attempts.
  5. The attacker inputs a username and attempts various passwords, along with the valid CAPTCHA.
  6. The system validates the CAPTCHA code, allowing the brute-force attack to proceed.
  7. The attacker successfully guesses a valid password for a user account.
  8. The attacker gains unauthorized access to the iDS6 DSSPro Digital Signage System with the compromised account.

Impact

Successful exploitation of CVE-2020-37228 allows attackers to bypass authentication mechanisms and gain unauthorized access to the iDS6 DSSPro Digital Signage System. This can lead to the compromise of sensitive information, disruption of digital signage operations, and potential further exploitation of the system. Given the high CVSS score, this poses a critical risk.

Recommendation

  • Apply any available patches or upgrades provided by iDS6 to address CVE-2020-37228 on DSSPro Digital Signage System 6.2.
  • Implement rate limiting on login attempts to mitigate brute-force attacks, in conjunction with the CAPTCHA bypass vulnerability.
  • Deploy the Sigma rule Detect iDS6 DSSPro Captcha Bypass to monitor for suspicious requests to the login endpoint with the autoLoginVerifyCode object.
  • Review user account access and privileges, and enforce strong password policies to reduce the risk of successful brute-force attacks.
]]>criticaladvisorycaptcha-bypasscredential-accessbrute-force