Customer data at risk included names, phone numbers, email addresses, mailing addresses, total amounts paid, and purchased products, raising privacy and patient-safety concerns.

Zota Healthcare operates over 2,300 DavaIndia stores with plans to add 1,200–1,500 more in the next two years, underscoring the critical need to secure administration and data.

An attacker with admin access could view and edit stores, pharmacist details, customer orders, personal data, products, inventory, and coupons, and could potentially bypass prescription requirements by toggling controls.

A security lapse at DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, allowed attackers to gain full administrative control of its platform and access customer order data and sensitive drug-control functions.

The flaw exposed customer data and granted attackers full administrative control over systems, including sensitive order and product information.

The issue was reported to CERT-In in August 2025 and fixed within weeks, with formal confirmation to cyber authorities in late November 2025.

The flaw was first reported on a late-August 2025 and was resolved within a month, with public disclosure and final closure confirmed in late November 2025 and February 2026.

An exposed admin panel included a Sponsor Settings feature that could be manipulated to alter homepage content, including videos, and even enable a prank like a Rick Roll.

The vulnerability appeared to be active since late 2024, exposing nearly 17,000 online orders and administrative controls across 883 stores before being fixed.

The vulnerability was found in an exposed admin subdomain that allowed unauthenticated access to super-admin APIs and enabled creation of a new super admin account via a crafted POST request.

The exposed system could reveal and alter thousands of online orders, modify product listings and prices, create discount coupons, and change prescription requirements, with potential to deface or disrupt the site.

Security researcher identified insecure super admin interfaces and privately notified authorities; the flaw allowed unauthenticated creation of high-privilege accounts.