CVE-2025-34255
📊 6.9 MEDIUM⚡ 0.0%🎯 0 exploits
📅 Published Oct 16, 2025
📋 Status: Analyzed
D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development.
CVSS v3.1 • NVD
🎯 Affected Products & Systems
1 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | dlink | nuclias connect | ≤ 1.3.1.4 | Vulnerable | cpe:2.3:a:dlink:nuclias_connect:*:*:*:*:*:*:*:* |
📱
VulnerableApplication
Version: ≤ 1.3.1.4
CPE:
cpe:2.3:a:dlink:nuclias_connect:*:*:*:*:*:*:*:*
Metrics
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔍 Technical Details
Analysis Status
AnalyzedCVSS Details
6.9 (MEDIUM)v4.0
Source: [email protected]
EPSS Details
0.0% (Minimal)12.6th percentile
Last updated: Nov 1, 2025
Exploitation probability within 30 days
Published Date
Oct 16, 2025 (17 days ago)
Last Modified
Oct 30, 2025 (3 days ago)
Security Weaknesses1
CWE-204
References4
NVDadvisorygeneral+1