CVE-2025-34254

D-Link Nuclias Connect <= v1.3.1.4 Login Account Enumeration

CVSS 6.9 MEDIUMEPSS 1.0%CWE-204

In short

D-Link Nuclias Connect up to version 1.3.1.4 reveals whether usernames exist on the system through different error messages during login. An attacker can enumerate valid usernames without needing a password, compromising account privacy.

Technical detail

The login endpoint exhibits response discrepancy vulnerability (CWE-204) where distinct JSON error messages are returned for valid versus invalid usernames. An unauthenticated remote attacker can exploit this information disclosure to enumerate existing accounts through differential response analysis.

Summary generated and translated by AI from the official description.

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

D-Link · Nuclias Connect

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472 https://www.dlink.com/en/for-business/nuclias/nuclias-connect https://www.vulncheck.com/advisories/dlink-nuclias-connect-login-account-enumeration