CVE-2025-34254

16.10.2025, 19:15

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability.The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server.NOTE: D-Link states that a fix is under development.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

https://www.dlink.com/en/for-business/nuclias/nuclias-connect

https://www.vulncheck.com/advisories/dlink-nuclias-connect-login-account-enumeration