QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34255

Published: Oct 16, 2025

Modified: May 25, 2026

PUBLISHED

Description

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development.

Vendor	Product	Versions
D-Link	Nuclias Connect	affected `0 - <= 1.3.1.4`

Weaknesses (CWE)

References

https://www.vulncheck.com/advisories/dlink-nuclias-connect-forgot-password-account-enumeration

third-party-advisory

https://www.dlink.com/en/for-business/nuclias/nuclias-connect

product

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.