CVE-2025-34254

EPSS 0.05%
Veröffentlicht 16.10.2025 18:52:08
Zuletzt bearbeitet 30.10.2025 16:07:47
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dlink ≫ Nuclias Connect Version <= 1.3.1.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.155

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
disclosure@vulncheck.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://www.dlink.com/en/for-business/nuclias/nuclias-connect

Product

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

Vendor Advisory

https://www.vulncheck.com/advisories/dlink-nuclias-connect-login-account-enumeration

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-34254

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34254

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34254

EUVD