CVE-2020-37228 Overview
CVE-2020-37228 is an authentication bypass vulnerability in the iDS6 DSSPro Digital Signage System version 6.2, developed by Yerootech. The flaw resides in the CAPTCHA verification mechanism, which allows unauthenticated attackers to retrieve valid CAPTCHA codes by requesting the autoLoginVerifyCode object through the login endpoint. Once retrieved, attackers can submit valid CAPTCHA values alongside credential guesses, effectively neutralizing the anti-automation control. This enables brute-force attacks against user accounts at machine speed. The weakness maps to [CWE-307] Improper Restriction of Excessive Authentication Attempts.
Critical Impact
Remote unauthenticated attackers can bypass CAPTCHA protection and conduct automated brute-force attacks against any user account on the digital signage management interface.
Affected Products
- Yerootech iDS6 DSSPro Digital Signage System 6.2
- Web-based administrative login interface exposing the autoLoginVerifyCode object
- Deployments reachable over the network without compensating controls
Discovery Timeline
- 2026-05-16 - CVE-2020-37228 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37228
Vulnerability Analysis
The iDS6 DSSPro web application exposes a CAPTCHA generation endpoint that returns the verification code value directly to the client. An attacker performs an HTTP request that retrieves the autoLoginVerifyCode object, reads the generated CAPTCHA string from the response, and then submits a login request containing the matching code together with a guessed username and password pair. Because the server accepts any valid CAPTCHA returned through this path, the control fails to enforce the human-verification property it was designed to provide.
The vulnerability allows an unauthenticated attacker on the network to compromise the confidentiality, integrity, and availability of accounts managed through the system. Successful account takeover grants control over signage content, scheduling, and device management functions on connected displays.
Root Cause
The root cause is a design flaw classified as [CWE-307] Improper Restriction of Excessive Authentication Attempts. The CAPTCHA value is exposed to the requesting client rather than being held server-side and validated against a session-bound challenge. This breaks the assumption that CAPTCHA solving requires human interaction and removes the rate-limiting effect on credential guessing.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker scripts two HTTP requests: one to obtain a fresh CAPTCHA from the autoLoginVerifyCode endpoint, and a second to submit credentials with the harvested code. The loop is repeated to test password candidates against any known or enumerated username. Public exploit code for this issue is available through Exploit-DB #48991 and the ZeroScience advisory ZSL-2020-5607.
No verified exploitation code is reproduced here. Refer to the VulnCheck advisory for additional technical context.
Detection Methods for CVE-2020-37228
Indicators of Compromise
- Repeated HTTP GET requests to endpoints returning the autoLoginVerifyCode object from a single source address within short time windows.
- High volume of POST requests to the login endpoint from the same client following each CAPTCHA fetch.
- Authentication failure events for multiple usernames originating from a single IP address or user agent.
Detection Strategies
- Inspect web server access logs for paired request patterns where a CAPTCHA retrieval is immediately followed by a login attempt from the same session or address.
- Correlate failed authentication events with CAPTCHA endpoint requests to identify automated credential testing.
- Deploy web application firewall rules that flag programmatic access to verification code endpoints lacking browser-typical headers.
Monitoring Recommendations
- Forward DSSPro web server and authentication logs to a centralized SIEM for correlation and alerting on brute-force patterns.
- Track per-account failed login counts and trigger alerts when thresholds are exceeded within short intervals.
- Monitor network egress and ingress to the signage management interface for non-business-hours activity.
How to Mitigate CVE-2020-37228
Immediate Actions Required
- Restrict network access to the iDS6 DSSPro management interface using firewall rules or VPN-only access until a vendor fix is applied.
- Enforce strong, unique passwords for all DSSPro accounts and disable any default or unused credentials.
- Implement server-side rate limiting and account lockout policies at the network or reverse proxy layer.
Patch Information
No vendor patch is referenced in the available advisories. Contact Yerootech through the vendor home page to confirm the availability of a fixed release. Review the VulnCheck advisory for status updates.
Workarounds
- Place the management interface behind a reverse proxy that enforces its own CAPTCHA, multi-factor authentication, or client certificate requirements.
- Use an IP allow-list to restrict access to authorized administrative networks only.
- Deploy a WAF rule that blocks direct requests to the autoLoginVerifyCode endpoint from clients that have not first loaded the login page in a normal browser session.
# Example nginx rule to restrict access to the DSSPro admin interface
location / {
allow 10.0.0.0/24; # admin subnet
deny all;
limit_req zone=loginzone burst=5 nodelay;
proxy_pass http://dsspro_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
