A critical authentication bypass vulnerability in iDS6 DSSPro 6.2 allows unauthenticated attackers to circumvent CAPTCHA protections and perform automated brute-force attacks.

The vulnerability exists in the login endpoint, where an unauthenticated attacker can request the autoLoginVerifyCode object. This allows the attacker to bypass the intended CAPTCHA security mechanism, facilitating credential stuffing or brute-force attempts.

By bypassing CAPTCHA, attackers can gain unauthorized access to user or administrative accounts, potentially leading to unauthorized system control or configuration changes. With a CVSS score of 9.8, this vulnerability poses a significant risk to the integrity and availability of the digital signage infrastructure.

Immediate Action: Update the iDS6 DSSPro system to the latest available version that includes the fix for the CAPTCHA bypass.

Proactive Monitoring: Monitor authentication logs for an unusual spike in login attempts or failed authentication attempts from single IP addresses.

Compensating Controls: Implement rate-limiting at the Web Application Firewall (WAF) level to throttle requests to the login endpoint.

Public Exploit Available: Unknown

The ability to bypass authentication controls is a critical security failure. Administrators must urgently update the affected signage systems and consider implementing additional access controls, such as multi-factor authentication, if supported, to mitigate the risk of account takeover.