Overview
CVE-2020-37228 is a critical authentication bypass vulnerability (CVSS 9.8) affecting iDS6 DSSPro Digital Signage System version 6.2. The flaw resides in the CAPTCHA verification mechanism used to protect the login page — an attacker can programmatically retrieve a valid CAPTCHA response from the autoLoginVerifyCode object exposed by the login endpoint, rendering the CAPTCHA control completely ineffective.
With CAPTCHA defeated, attackers can mount automated brute-force campaigns against user credentials with no rate-limiting obstacle in place.
Technical Details
The vulnerability stems from the fact that the login endpoint returns — or exposes through an accessible API object — the expected CAPTCHA solution at request time. An attacker who first calls this endpoint can extract the autoLoginVerifyCode value and replay it in a valid login submission, bypassing the challenge-response mechanism entirely.
This design error means:
- CAPTCHA is advisory only — it provides no real protection.
- Brute-force is unconstrained — scripts can iterate credential lists at full speed.
- No authentication required to exploit — the bypass is pre-auth and trivially automated.
Affected Products
| Product | Version |
|---|---|
| iDS6 DSSPro Digital Signage System | 6.2 |
Earlier or later versions have not been confirmed as affected at the time of disclosure.
Impact
Successful exploitation allows an unauthenticated attacker to bypass the CAPTCHA protection and perform automated credential brute-forcing against any user account on the system. If administrative credentials are compromised, attackers could gain full control over the digital signage infrastructure — modifying displayed content, exfiltrating stored media, or pivoting to the underlying host system.
Digital signage systems deployed in public-facing environments (retail, transportation, healthcare, government) are particularly high-value targets for manipulation and embarrassment attacks.
CVSS Score
| Metric | Value |
|---|---|
| Base Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Remediation
- Update immediately — apply any patches issued by the vendor for DSSPro 6.2 that address the CAPTCHA implementation.
- Network isolation — place the management interface behind a VPN or firewall; restrict access to trusted IP ranges.
- Rate limiting — implement server-side rate limiting or account lockout policies independent of the CAPTCHA control.
- Monitor login logs — alert on abnormal volumes of authentication attempts.
- Credential hygiene — enforce strong, unique passwords on all accounts; enable MFA if supported.