CVE-2025-34255

EPSS 0.05%
Veröffentlicht 16.10.2025 18:52:59
Zuletzt bearbeitet 30.10.2025 16:06:51
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dlink ≫ Nuclias Connect Version <= 1.3.1.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.155

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
disclosure@vulncheck.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://www.dlink.com/en/for-business/nuclias/nuclias-connect

Product

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

Vendor Advisory

https://www.vulncheck.com/advisories/dlink-nuclias-connect-forgot-password-account-enumeration

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-34255

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34255

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34255

EUVD