PT-2025-47903 · Davantis · Davantis Dfusion
Ferran Plaza
·
Published
2025-11-24
·
Updated
2025-11-24
·
CVE-2025-41016
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Davantis DFUSION version 6.177.7
Description
An access control issue exists in Davantis DFUSION version 6.177.7. This allows unauthorized access to images and videos associated with alarm events. Exploitation occurs through the API endpoint
/alarms/<ALARM ID>/<MEDIA>, where the MEDIA parameter can be set to 'snapshot' or 'video.mp4'. These media files contain images captured by security cameras when alarms are triggered. The ALARM ID is a variable representing the unique identifier of the alarm event.Recommendations
Restrict access to the
/alarms/<ALARM ID>/<MEDIA> API endpoint.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Davantis Dfusion