Multiple vulnerabilities in DFUSION by Davantis
Posted date 24/11/2025
Identificador
INCIBE-2025-0661
Importance
4 - High
Affected Resources
DFUSION, versions prior to 6.186.1.
Description
INCIBE has coordinated the publication of two vulnerabilities, one high severity and one medium severity, affecting Davantis' DFUSION, an intelligent video analysis solution. The vulnerabilities were discovered by Ferran Plaza.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-41016: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-862
- CVE-2025-41017: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-862
Solution
The vulnerabilities were fixed by the Davantis team in version 6.186.1 in May 2020.
Detail
- CVE-2025-41016: Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “snapshot” or “video.mp4”. These media files contain images recorded by security cameras in response to triggered alerts.
- CVE-2025-41017: Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.
CVE
Explotación
No
Nuevo Fabricante
Davantis
Identificador CVE
CVE-2025-41016
Severidad
Alta
Explotación
No
Nuevo Fabricante
Davantis
Identificador CVE
CVE-2025-41016
Severidad
Alta
References list
Etiquetas
