A major vulnerability discovered on the platform of a division of Zota Healthcare exposed sensitive customer and internal system data due to insecure “super admin” APIs.
The issue, uncovered by Eaton–Works, allowed anyone to create a privileged super admin account and take full control of the pharmacy’s backend systems.
Dava India, which operates more than 2,100 outlets across India and describes itself as the country’s largest private generic pharmacy retail chain, runs an online platform and mobile app for medicine purchases.
Unauthorized Super Admin Access
However, Eaton-Works found that the website’s backend APIs lacked authentication checks.
By interacting with these endpoints, it was possible to create a super admin user account and reset its password, gaining administrative access to the entire system.
The exposed capabilities included access to customer orders, store details, and product management functions.
According to Eaton-Works, attackers could have viewed information from nearly 17,000 customer orders across 883 stores.
Super admins can also edit or delete over 1,500 products, change prices, turn off prescription requirements, and generate custom coupons, including a “100% off” coupon.
In addition, the panel included control over website display features such as sponsored content and YouTube video embeds, raising the possibility of content manipulation.
Essentially, an attacker could have altered nearly every element of the company’s online presence. The vulnerability was reported to India’s Computer Emergency Response Team (CERT-IN) on August 20, 2025.
Dava India patched the issue approximately a month later. However, formal confirmation from the company was only received in late November 2025.
The researcher published details of the disclosure on February 13, 2026, marking their first public finding in the healthcare sector.
Eaton-Works confirmed that no personal data was stolen and that the flaw was patched before any known exploitation.
The vulnerability affected only the online systems; customers who made in-store purchases were not impacted.
This incident highlights the significant risks of insecure API design, especially in healthcare and retail platforms where administrative access often exposes sensitive customer and operational data.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
