DavaIndia Flaw Exposed Orders, Admin Controls

A major security lapse briefly left systems at DavaIndia open to takeover, potentially exposing sensitive order information and internal controls.

The pharmacy network, operated by Zota Healthcare, runs thousands of outlets nationwide and has been expanding aggressively as demand for affordable medicines rises.

Security researcher Eaton Zveare said he discovered poorly protected administrative interfaces that allowed unauthenticated outsiders to generate high-privilege “super admin” access.

With such permissions, an attacker could have reviewed customer purchases, altered prices, issued discounts and even changed whether certain medicines required prescriptions.

System data suggested the vulnerable pathways may have existed since late 2024. Zveare estimated that nearly 17,000 orders and operational settings across hundreds of stores were reachable.

Health-related purchases are especially delicate because they can reveal conditions, treatments or personal matters customers expect to remain private.

Zveare said names, contact numbers, addresses and product details were visible through the exposed panels, raising the risk of embarrassment, profiling or targeted scams if abused.

He reported the matter to CERT-In in August 2025. The weakness was corrected within weeks, though formal acknowledgement took longer, he said.

There is no evidence the vulnerability was exploited before remediation. Still, the episode highlights how rapid retail digitisation can outpace governance if oversight mechanisms lag.

For large healthcare platforms, strong authentication, continuous monitoring and routine external testing are becoming essential to maintain trust alongside growth.