Account Enumeration Vulnerability in D-Link Nuclias Connect Firmware
CVE-2025-34255

6.9MEDIUM

Key Information:

Vendor

D-link
Status
Nuclias Connect
Vendor
CVE Published:
16 October 2025

What is CVE-2025-34255?

D-Link Nuclias Connect firmware versions up to 1.3.1.4 are susceptible to an observable response discrepancy within the 'Forgot Password' functionality. This vulnerability allows an unauthenticated attacker to determine valid email addresses associated with user accounts based on whether the supplied email address generates a distinct JSON response. The differing data.exist boolean values in the responses could potentially expose private account information. D-Link is aware of this issue and is currently developing a fix to address the vulnerability.

Affected Version(s)

Nuclias Connect * < 1.3.1.4

References

https://www.vulncheck.com/advisories/dlink-nuclias-connec...
third-party-advisory
https://www.dlink.com/en/for-business/nuclias/nuclias-con...
product
https://supportannouncement.us.dlink.com/security/publica...
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34255 : Account Enumeration Vulnerability in D-Link Nuclias Connect Firmware