CVE-2020-37228: iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass
iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks against user accounts.
Security readout for executives and security teams
This flaw lets an unauthenticated attacker obtain valid CAPTCHA values from iDS6 DSSPro 6.2, weakening a key login defense. The practical risk is account brute forcing against digital signage administration. The source bundle shows a public exploit reference, but no KEV listing or cited confirmation of active exploitation. Exposure appears limited to organizations running Yerootech iDS6 DSSPro Digital Signage System 6.2, especially where the login interface is internet-accessible. The business impact is highest for environments where signage systems are operationally important, publicly visible, or connected to broader internal systems. Prioritize this as critical for any exposed DSSPro 6.2 deployment. The issue targets login protection and has public exploit material, so remediation or isolation should be handled quickly. If the product is not deployed, record that finding and no further urgent action is needed. Mitigation focus: Identify any deployed iDS6 DSSPro Digital Signage System 6.2 instances.; Check Yerootech or maintainer guidance for patches, upgrades, or supported mitigations.; Restrict access to the DSSPro login interface to trusted networks only..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-307: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-307 · source CWE mapping
Improper Restriction of Excessive Authentication Attempts
Improper Restriction of Excessive Authentication Attempts represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.