DavaIndia Pharmacy Security Flaw Exposed Customer Data and Admin Controls
A critical security vulnerability in DavaIndia Pharmacy, the pharmacy arm of India’s Zota Healthcare, allowed unauthorized access to full administrative controls and sensitive customer order data. The flaw, discovered by security researcher Eaton Zveare, stemmed from insecure "super admin" application programming interfaces (APIs) on the company’s platform.
The exposure enabled unauthenticated users to create high-privilege accounts, granting access to nearly 17,000 online orders and administrative functions across 883 stores. Attackers could have viewed customer details including names, phone numbers, email addresses, and purchased medications while also modifying product prices, prescription requirements, and promotional discounts. The vulnerable interfaces had been active since late 2024, with system timestamps confirming the exposure.
Zveare reported the issue to India’s national cyber emergency response agency, CERT-In, in August 2025. The flaw was patched within weeks, though official confirmation from Zota Healthcare was delayed until late November. The company, which operates over 2,300 retail outlets across India and plans to expand further, did not respond to requests for comment. There is no evidence the vulnerability was exploited before being fixed.
The incident highlights the heightened privacy risks associated with pharmacy data, as exposed order details could reveal sensitive health information. Zota Healthcare’s rapid expansion including 276 new stores announced in January 2025 and plans for 1,200–1,500 additional outlets underscores the potential scale of such vulnerabilities.
Zota Healthcare TPRM report: https://www.rankiteo.com/company/davaindia-generic-pharmacy
DavaIndia Pharmacy TPRM report: https://www.rankiteo.com/company/davaindia-generic-pharmacy
"id": "dav1771050672",
"linkid": "davaindia-generic-pharmacy",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Nearly 17,000 online orders',
'industry': 'Healthcare/Pharmaceutical',
'location': 'India',
'name': 'DavaIndia Pharmacy (Zota Healthcare)',
'size': '2,300+ retail outlets (as of 2025)',
'type': 'Pharmacy'}],
'attack_vector': 'Insecure API',
'data_breach': {'number_of_records_exposed': 'Nearly 17,000 online orders',
'personally_identifiable_information': 'Names, phone numbers, '
'email addresses, '
'purchased medications',
'sensitivity_of_data': 'High (personally identifiable '
'information, health/medication data)',
'type_of_data_compromised': 'Customer order data, '
'administrative controls'},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-11',
'date_resolved': '2025-11',
'description': 'A critical security vulnerability in DavaIndia Pharmacy, the '
'pharmacy arm of India’s Zota Healthcare, allowed unauthorized '
'access to full administrative controls and sensitive customer '
'order data. The flaw, discovered by security researcher Eaton '
"Zveare, stemmed from insecure 'super admin' application "
'programming interfaces (APIs) on the company’s platform. The '
'exposure enabled unauthenticated users to create '
'high-privilege accounts, granting access to nearly 17,000 '
'online orders and administrative functions across 883 stores. '
'Attackers could have viewed customer details including names, '
'phone numbers, email addresses, and purchased medications '
'while also modifying product prices, prescription '
'requirements, and promotional discounts. The vulnerable '
'interfaces had been active since late 2024, with system '
'timestamps confirming the exposure.',
'impact': {'brand_reputation_impact': 'Potential brand reputation damage due '
'to exposure of sensitive health '
'information',
'data_compromised': 'Customer order data (names, phone numbers, '
'email addresses, purchased medications), '
'administrative controls (product prices, '
'prescription requirements, promotional '
'discounts)',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information and health data)',
'operational_impact': 'Potential unauthorized modification of '
'product prices, prescription requirements, '
'and promotional discounts',
'systems_affected': 'DavaIndia Pharmacy platform, 883 stores'},
'investigation_status': 'Resolved',
'lessons_learned': 'The incident highlights the heightened privacy risks '
'associated with pharmacy data, as exposed order details '
'could reveal sensitive health information. Importance of '
'securing administrative APIs and monitoring for '
'unauthorized access.',
'post_incident_analysis': {'corrective_actions': 'API security patches '
'applied',
'root_causes': "Insecure 'super admin' APIs "
'allowing unauthenticated '
'high-privilege account creation'},
'recommendations': 'Implement secure API practices, regular security audits, '
'and enhanced monitoring for high-privilege accounts. '
'Ensure timely reporting and communication of security '
'incidents.',
'references': [{'source': 'Security researcher Eaton Zveare'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to India’s '
'CERT-In'},
'response': {'communication_strategy': 'Delayed official confirmation from '
'Zota Healthcare (late November 2025)',
'containment_measures': 'Vulnerability patched within weeks of '
'reporting',
'remediation_measures': 'Insecure APIs secured'},
'title': 'DavaIndia Pharmacy Security Flaw Exposed Customer Data and Admin '
'Controls',
'type': 'Data Exposure',
'vulnerability_exploited': "Insecure 'super admin' APIs allowing "
'unauthenticated high-privilege account creation'}