A severe security vulnerability in DavaIndia Pharmacy, a division of Zota Healthcare, has exposed thousands of customer orders and granted unauthorized administrative access to internal systems. The breach, which persisted for months, allowed outsiders to manipulate critical drug-control functions and view private health-related purchase histories.
Critical Security Flaw Exposed
Security researcher Eaton Zveare identified insecure “super admin” application programming interfaces (APIs) on the DavaIndia website. These vulnerabilities allowed unauthenticated users to create high-level administrative accounts, effectively bypassing security protocols. Zveare has publicly disclosed his findings following the resolution of the bug.
Impact on Customer Privacy
The exposure involved nearly 17,000 online orders, linking sensitive customer data to specific medication purchases. The compromised information included:
- Full customer names
- Phone numbers and email addresses
- Mailing addresses
- Total transaction amounts
- Detailed product purchase history
Because pharmacy data often reveals personal health conditions, the risk to patient privacy and safety is significant. Accessing this data could allow malicious actors to identify private or sensitive medical treatments linked to individual identities.
Systemic Control and Administrative Risks
Beyond personal data, the “super admin” access granted control over internal operational systems spanning 883 retail stores. Attackers could have potentially:
- Modified product listings and prices
- Altered prescription requirements for medications
- Generated fraudulent discount coupons
- Defaced website content to cause operational disruption
System timestamps indicate the vulnerability was active since late 2024. While Zveare reported the issue to CERT-In, India’s national cyber-emergency response agency, in August 2025, the company took several weeks to finalize the patch and confirm the fix to authorities.
Rapid Expansion Under Scrutiny
The security lapse occurs as Zota Healthcare aggressively scales its footprint. The Gujarat-based firm currently operates over 2,300 outlets, following the addition of 276 new stores in early 2026. The company has publicly declared intentions to add up to 1,500 additional locations over the next two years.
Despite the severity of the findings, there is currently no evidence that the vulnerability was exploited by malicious actors prior to the patch. Zota Healthcare CEO Sujit Paul did not respond to requests for comment regarding the incident.