CVE-2025-34255 — Observable Response Discrepancy in D-link Nuclias Connect

CWE-204 — Observable Response Discrepancy3 documents3 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 88.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Nuclias Connect Dlink Nuclias Connect

Timeline

PublishedOct 16

Description

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5d-link/nuclias_connect* — 1.3.1.4

▶NVDdlink/nuclias_connect1.3.1.4

🔴Vulnerability Details

CVEList

D-Link Nuclias Connect <= v1.3.1.4 Forgot Password Account Enumeration↗2025-10-16

▶

GHSA

GHSA-fff6-x26h-q5rp: D-Link Nuclias Connect firmware versions <= 1↗2025-10-16

▶