Cyber Resilience

CVE-2020-37228

CriticalPublic PoC

Published: 16 May 2026

Published
16 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2020-37228 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Yerootech (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks…

more

against user accounts.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-33667Shared CWE-307
CVE-2024-55008Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2026-25114Shared CWE-307
CVE-2026-26305Shared CWE-307
CVE-2026-20882Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-33640Shared CWE-307
CVE-2026-43914Shared CWE-307
CVE-2026-40586Shared CWE-307

Affected Assets

Yerootech
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References