Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2020-37228 -- CVSS 9.8 Vulnerability Briefing

CVE-2020-37228 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2020-37228 is an authentication bypass vulnerability in iDS6 DSSPro Digital Signage System version 6.2, caused by a CAPTCHA security control that can be circumvented by directly requesting a specific internal object.

Technical Detail

The flaw exists in the CAPTCHA verification mechanism of the DSSPro platform, where an attacker can bypass the authentication challenge by requesting the autoLoginVerifyCode object directly, effectively retrieving a valid login token without completing the intended verification step. This allows an unauthenticated remote attacker to gain unauthorized access to the system without valid credentials. The impact is a full authentication bypass, potentially granting administrative access to the digital signage management interface and any content or infrastructure it controls.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. There is no confirmed evidence of active exploitation in the wild at this time. Despite the critical CVSS score of 9.8, the absence of a known exploit reduces immediate operational risk, though the attack concept is straightforward and the barrier to exploitation is low given the nature of the bypass.

Who Is Targeting This

Confirmed (ATTAX-verified): OilRig (Iran, nation-state motivation), Lazarus Group (DPRK, nation-state motivation), Fox Kitten (Iran, nation-state motivation), Ember Bear (Russia, nation-state motivation), and Dragonfly (Russia, nation-state motivation) are all associated with this CVE at high confidence. No additional reported or research-inferred actor attribution is present in current data. The presence of multiple sophisticated nation-state actors across Iran, North Korea, and Russia warrants elevated concern, though the specific operational context linking these actors to this particular vulnerability has not been publicly detailed.

What To Do

Organizations running iDS6 DSSPro Digital Signage System version 6.2 should prioritize upgrading to a patched version if one has been released by the vendor, or contact iDS6 directly to confirm remediation availability. If patching is not immediately possible, restrict network access to the DSSPro management interface using firewall rules or network segmentation, ensuring it is not exposed to untrusted networks or the public internet. Monitor authentication logs for anomalous login activity, particularly successful authentications that do not correspond to expected user behavior or that originate from unexpected source addresses. Given the confirmed association with multiple nation-state threat actors, organizations in critical infrastructure, government, and media sectors should treat this as a priority remediation item regardless of current exploit availability.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →