CVE-2025-34254

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the error.messagestring value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.

Published: Oct 16, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-34254
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-204

Affected Software
References

Software	From	Fixed in
dlink / nuclias_connect	-	1.3.1.4.x

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472
https://www.dlink.com/en/for-business/nuclias/nuclias-connect
https://www.vulncheck.com/advisories/dlink-nuclias-connect-login-account-enumeration

Vulnerability Database

CVE-2025-34254

Deep Security Visibility Without the Complexity