Description
iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks against user accounts.
Published: 2026-05-16
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in iDS6 DSSPro Digital Signage System 6.2 and is a CAPTCHA security bypass (CWE‑307). An attacker can request the autoLoginVerifyCode object and retrieve valid CAPTCHA codes from the login endpoint. These codes can then be used to perform brute‑force attacks against user accounts, ultimately bypassing the system’s authentication mechanism. This flaw permits unauthorized access to protected resources without legitimate credentials, compromising confidentiality and potentially granting elevated privileges.

Affected Systems

Vendors: Yerootech. Product: iDS6 DSSPro Digital Signage System. Version: 6.2. No other versions are listed as affected in the current data.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as Critical, indicating a severe risk when exploited. The EPSS score is not available, though the lack of KEV listing suggests no confirmed mass exploitation yet. Based on the description, the likely attack vector is remote HTTP request to the system’s login endpoint, where an attacker can retrieve the CAPTCHA code and then attempt password guessing. If successful, an attacker could gain full access to the web interface and any connected media resources.

Generated by OpenCVE AI on May 16, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for any available patch; if none is released, follow the interim controls below.
  • Disable or restrict the autoLoginVerifyCode endpoint and enforce an account lockout policy after a small number of failed login attempts to prevent brute‑force exploitation.
  • Apply rate‑limiting or a web application firewall on the login endpoint to throttle repeated requests and block high‑volume brute‑force traffic.

Generated by OpenCVE AI on May 16, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks against user accounts.
Title iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:46.353Z

Reserved: 2026-05-15T13:32:05.022Z

Link: CVE-2020-37228

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:18.667

Modified: 2026-05-16T16:16:18.667

Link: CVE-2020-37228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:00:13Z

Weaknesses