Vulnerability Analysis and disclosures¶

CERT-in has been very responsive and helpful in reacting to incident reports and getting vulnerabilities fixed.

Report incidents to CERT-in using this guide. The PDF is just a guide. An email is sufficient as long as it contains all the fields of this form.
For finance related vulnerabilities: CSIRT-fin

All of the vulnerabilities presented here are for educational purpose (especially for the CISO and developers of these organizations). All vulnerabilties have been fixed by the service providers before these disclosures.

The curl commands are not in full; only relevant headers are kept for brevity

August 14, 2025
3 min read

BimaBharosa IRDAI Vulnerability 2024

The Bima Bharosa portal (https://bimabharosa.irdai.gov.in) had a vulnerability in its complaint history API that allowed access to sensitive complaint details by simply incrementing the complaint ID. This exposed personal and claim information of policyholders without authentication.

Summary of the vulnerability:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	GetComplainthistorydata	18 November 2024	before 30 November 2024	less than 12 days	68209424
2	encrypted GetComplainthistorydata	30 November 2024	1 January 2025	31 days	68209424

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication

August 14, 2025
1 min read

Ombudsman portal Reserve Bank of India Vulnerability 2024

The CMS portal (https://cms.rbi.org.in) for the Ombudsman scheme of the RBI had a vulnerability in an API which allowed serial access to the complaint acknowledgement files.

Summary of the vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	PDFFileDownload	15 December 2024	before 19 December 2024	less than 4	46947024

The vulnerability was fixed very promptly.

August 14, 2025
1 min read

E-Jagriti

-

August 14, 2025
5 min read

Manipal Hospitals pvt ltd vulnerability 2024

The Manipal hospital pvt ltd has a mandatory registration process on its kiosk https://kiosk.manipalhospitals.com for OPD consultations. The portal collects a lot of information within minutes but the same personal data deletion takes 3-4 months.

The portal had numerous vulnerabilities that allowed to get the user's personal data in a serial access and "protected" just by a static Authorization header exposed in the front-end code.

Summary of the vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	KioskOtpVerification	27 December 2024	Never reverted	more than 60 days	91742724
2	PatientVisitHistory	27 December 2024	Never reverted	more than 60 days	91742724
3	PatDetailsByMobileNo	27 December 2024	Never reverted	more than 60 days	91742724

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A02 2021 Cryptographic Failures: CWE-321 Use of Hard-coded Cryptographic Key
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

August 13, 2025
4 min read

Council of Insurance Ombudsman CIOINS API Vulnerabilities 2024

Council of Insurance Ombudsman CIOINS website (https://cioins.co.in) had numerouos vulnerabilities covering several OWASP TOP 10 categories in 2024. After reporting it to CERT-in (they don't have a direct email for this (they denied this information in the RTI)), they simply masked the issue with bogus encryption with key exposed in the front-end source code.

After a followup, a proper fix was implemented but with significant delay.

Summary of the vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	FetchComplaintDetails	16 November 2024	9 December 2024	21	07586124
2	RetrieveData	16 November 2024	9 December 2024	21	07586124
3	FetchComplaints	16 November 2024	9 December 2024	21	07586124
4	encrypted FetchComplaintDetails	9 December 2024	20 January 2025	41 (63 from original)	07586124
5	encrypted RetrieveData	9 December 2024	20 January 2025	41 (63 from original)	07586124
6	encrypted FetchComplaints	9 December 2024	20 January 2025	41 (63 from original)	07586124

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A02 2021 Cryptographic Failures: CWE-321 Use of Hard-coded Cryptographic Key
A04 2021 Insecure Design: CWE-73 External Control of File Name or Path, Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

August 13, 2025
23 min read

Indigo Vulnerability 2022-2024 and Air india vulnerability 2025

Interglobe Indigo's manage booking portal(https://www.goindigo.in/edit-booking.html) and Air India Express (https://www.airindiaexpress.com/manage) leaked a passenger's number, email, date of birth address and emergency contact information by a PNR and name of a passenger. Even though the content is masked in the UI, the network activity shows the full data.

This was originally reported to Indigo in 2022 but was not fixed.

Tweet by @_sirius93 exposing this vulnerability in 2022 https://twitter.com/_sirius93_/status/1508423479594733568
Tweet by Indigo denying this and not fixing the issue https://twitter.com/IndiGo6E/status/1508748146717130758
News covering this incident

After reporting via email to Indigo in July 2024, an incomplete fix was implemented.

After reporting to CERT in November 2024, Indigo implemented a complete fix.

Air India warns its customers to not display PNR online in its tweets and asks them to share it via DMs.

Summary of the vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	Indigo itinerary	28 March 2022, 22 July 2024, 23 November 2024	December 2024	1009, 162, 39	64401624
2	Air India RetrieveData	2 August 2025	September 2024	30	25019125

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

August 13, 2025
5 min read

The New India Assurance Co Ltd Alleged Vulnerability 2024

An "alleged" vulnerability in the New India Assurance website allowed downloading sensitive personal information of policyholder simply by the policy number.

Summary of the "alleged" vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	getPolicyDetails	31 October 2024	before 18 November 2024	Less than 18	not assigned due to non-reproducibility (due to delay in reporting it to CERT after reporting it to NIA)

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

August 11, 2025
26 min read

LIC cyber vulnerabilities and data breaches 2024-2025

The Life Insurance Corporation of India (LIC) had 6 vulnerabilities in October 2024, December 2024 and April 2025 in their https://esales.licindia.in website (developed by iNube software solutions). Two of them allowed serial access to policy forms of prospect customers containing Name, DOB, email, phone, PAN card, income tax forms, aadhaar (or other IDs), signature, photo, medical history, address, income, nominees, other policy purchase details, etc.

The story was covered only in Medianama.

Medianama article by Sakshi Sadashiv K, 20 December 2024
MoneyControl added a small paragraph in a story, 6 months after the incidents based on some "social media posts" (which weren't cited as sources either) https://www.moneycontrol.com/banking/india-s-insurance-sector-faced-maximum-cyber-onslaught-in-fy25-article-13131547.html

Summary of the vulnerabilities:

Sr	API	Date reported	Date fixed	Days taken	CERT-in reference number
1	GenericDocumentViewer	16 October 2024	23 October 2024	7	not assigned due to non-reproducibility (due to delay in reporting it to CERT after reporting it to LIC)
2	GetPayLoadByQueryDynamic	16 October 2024, 6 December 2024	5 February 2025	112, 52	CERTIn-80801824
3	GetDocumentByIdPost	9 December 2024	28 January 2025	50	CERTIn-80801824
4	GetUserByUserIdPost	9 December 2024	28 January 2025	50	CERTIn-80801824
5	GenericSPApi	9 December 2024	28 January 2025	50	CERTIn-80801824
6	GetQuoteDetailByNumberPost	4 June 2025	25 July 2025	51	CERTIn-38009725

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: CWE-73 External Control of File Name or Path, Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration