Inadequate Access Control Vulnerability in Davantis DFUSION Security Software
CVE-2025-41016

8.7HIGH

Key Information:

Vendor: Davantis
Status: Dfusion
Vendor: CVE Published:; 24 November 2025

What is CVE-2025-41016?

An inadequate access control vulnerability in Davantis DFUSION v6.177.7 enables unauthorized individuals to gain access to sensitive media files, including images and videos linked to alarm events. By accessing the specific endpoint '/alarms/<ALARM_ID>/', where the MEDIA parameter can be specified as either 'snapshot' or 'video.mp4', attackers can extract recorded footage from security cameras that reacted to security alerts. This poses a serious risk as it allows potential attackers to retrieve private surveillance data without authentication.

Affected Version(s)

DFUSION prior to 6.186.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Ferran Plaza

JSON