Directory Traversal Vulnerability in D-Link Nuclias Connect Firmware
CVE-2025-34248

7.2HIGH

Key Information:

Vendor: D-link
Status: Nuclias Connect
Vendor: CVE Published:; 9 October 2025

What is CVE-2025-34248?

D-Link Nuclias Connect firmware prior to version 1.3.1.4 has a directory traversal vulnerability that arises from insufficient sanitization of the 'deleteBackupList' parameter within the /api/web/dnc/global/database/deleteBackup endpoint. If exploited by an authenticated attacker, this vulnerability could enable the deletion of arbitrary files, thereby compromising the integrity and availability of the affected systems. It is crucial for users to update their firmware to mitigate this risk.

Affected Version(s)

Nuclias Connect * < 1.3.1.4

References

https://www.vulncheck.com/advisories/dlink-nuclias-connec...

third-party-advisory

https://www.dlink.com/en/for-business/nuclias/nuclias-con...

product

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Alex Williams from Pellera Technologies

JSON

D-link

What is CVE-2025-34248?

Affected Version(s)

References

CVSS V4

Timeline

Credit