Account Enumeration Vulnerability in D-Link Nuclias Connect Firmware
CVE-2025-34254

6.9MEDIUM

Key Information:

Vendor

D-link
Status
Nuclias Connect
Vendor
CVE Published:
16 October 2025

What is CVE-2025-34254?

D-Link's Nuclias Connect firmware versions up to 1.3.1.4 are susceptible to an observable response discrepancy vulnerability. This flaw manifests at the application's 'Login' endpoint, where it reveals differing JSON responses based on the validity of the username input. An unauthenticated remote attacker can exploit this behavior to enumerate valid usernames on the server by analyzing variations in the error.message string. D-Link has acknowledged the issue and is actively working on a fix to address this security concern.

Affected Version(s)

Nuclias Connect * < 1.3.1.4

References

https://www.vulncheck.com/advisories/dlink-nuclias-connec...
third-party-advisory
https://www.dlink.com/en/for-business/nuclias/nuclias-con...
product
https://supportannouncement.us.dlink.com/security/publica...
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34254 : Account Enumeration Vulnerability in D-Link Nuclias Connect Firmware