CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA Bypass
The National Vulnerability Database (NVD) reports a critical CAPTCHA security bypass vulnerability, CVE-2020-37228, affecting iDS6 DSSPro Digital Signage System 6.2. This flaw allows attackers to completely bypass authentication mechanisms. The vulnerability stems from an attacker’s ability to request the autoLoginVerifyCode object, which in turn provides valid CAPTCHA codes via the login endpoint.
This design flaw essentially hands attackers the keys to brute-force user accounts without impediment. With a CVSS score of 9.8 (CRITICAL), this vulnerability represents a severe risk. Attackers can leverage the retrieved CAPTCHA codes to launch sustained credential stuffing or brute-force attacks, leading to unauthorized access, data compromise, and potentially full system control. The NVD categorizes this under CWE-307, indicating improper restriction of excessive authentication attempts.
Defenders need to understand that a bypass like this completely undermines any security assumed from CAPTCHA implementation. It’s not about finding a way around a strong CAPTCHA; it’s about the system itself providing the solution. Organizations using iDS6 DSSPro Digital Signage System 6.2 must prioritize immediate remediation to prevent unauthorized account takeovers and system breaches.
What This Means For You
- If your organization utilizes iDS6 DSSPro Digital Signage System 6.2, you are exposed to a critical authentication bypass. Immediately identify all deployments of this system, verify the version, and apply any available patches or workarounds. Failing to do so leaves your digital signage infrastructure — and potentially connected systems — vulnerable to account compromise and unauthorized access.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2020-37228: iDS6 DSSPro CAPTCHA Bypass via autoLoginVerifyCode
title: CVE-2020-37228: iDS6 DSSPro CAPTCHA Bypass via autoLoginVerifyCode
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
Detects the specific request pattern for the autoLoginVerifyCode object in iDS6 DSSPro, which is exploited in CVE-2020-37228 to bypass CAPTCHA and gain unauthorized access. This rule targets the initial access vector of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2020-37228/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'autoLoginVerifyCode'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2020-37228 | Auth Bypass | iDS6 DSSPro Digital Signage System 6.2 |
| CVE-2020-37228 | Auth Bypass | CAPTCHA security bypass via autoLoginVerifyCode object |
| CVE-2020-37228 | Auth Bypass | Brute-force attacks against user accounts using CAPTCHA codes from login endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...