PatchSiren

PatchSiren cyber security CVE debrief

CVE-2020-37228 Yerootech CVE debrief

CVE-2020-37228 is a critical authentication weakness in iDS6 DSSPro Digital Signage System 6.2. According to the supplied record, an attacker can request the autoLoginVerifyCode object, recover valid CAPTCHA codes through the login endpoint, and use that behavior to bypass authentication protections and brute-force user accounts. The NVD data in the corpus rates the issue at CVSS 9.3 and maps it to CWE-307.

Vendor
Yerootech
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-16
Original CVE updated
2026-05-16
Advisory published
2026-05-16
Advisory updated
2026-05-16

Who should care

Administrators and security teams responsible for iDS6 DSSPro Digital Signage System 6.2, especially if the login interface is reachable from untrusted networks. Identity and access teams should also care because the flaw directly affects authentication controls and account protection.

Technical summary

The supplied description indicates that the application’s CAPTCHA mechanism is not enforcing a reliable server-side challenge. Instead, the autoLoginVerifyCode object can be requested in a way that reveals valid CAPTCHA codes, and those codes can then be used against the login flow. That makes the authentication boundary weaker than intended and enables remote brute-force attempts against user accounts. The corpus classifies the issue as CWE-307 and assigns a critical CVSS vector with network-based attack conditions, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

Defensive priority

Immediate — the flaw weakens authentication and can support account compromise through remote brute-force activity.

Recommended defensive actions

  • Identify all iDS6 DSSPro Digital Signage System 6.2 deployments and determine whether the login endpoint is exposed beyond trusted networks.
  • If vendor fixes or mitigations are available, apply them promptly; if not, isolate the affected system or restrict access until a fix is in place.
  • Limit management and login access to trusted IP ranges, VPN users, or other approved administrative paths.
  • Add or tighten rate limiting, account lockout, and alerting on repeated login failures or abnormal CAPTCHA-related requests.
  • Review authentication logs for suspicious use of the login endpoint, repeated verification-code requests, and signs of brute-force activity.
  • Rotate credentials and investigate for unauthorized account use if the system has been exposed to untrusted networks.

Evidence notes

The supplied NVD record states that the vulnerability is a CAPTCHA security bypass in iDS6 DSSPro 6.2 that allows attackers to retrieve valid CAPTCHA codes via the login endpoint and use them for brute-force attacks. The same record lists CWE-307 and a CVSS 4.0 vector scored at 9.3. The corpus also includes references to CVE.org, the NVD detail page, a VulnCheck advisory, ZeroScience, an Exploit-DB entry, and yerootech.com. Vendor attribution in the input is explicitly marked low confidence and needs review.

Official resources

This debrief is based on the supplied CVE/NVD corpus and linked public references. The record timing in the corpus is 2026-05-16; that date reflects the CVE/NVD record metadata, not the origin date of the vulnerability itself.