CVE-2025-34254

CWE-2043 documents3 sources

Severity

6.9MEDIUM

EPSS

0.0%

top 87.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Nuclias Connect Dlink Nuclias Connect

Timeline

PublishedOct 16

Description

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5d-link/nuclias_connect* — 1.3.1.4

▶NVDdlink/nuclias_connect1.3.1.4

🔴Vulnerability Details

CVEList

D-Link Nuclias Connect <= v1.3.1.4 Login Account Enumeration↗2025-10-16

▶

GHSA

GHSA-mr7p-fqx6-72v7: D-Link Nuclias Connect firmware versions <= 1↗2025-10-16

▶