Login Sign Up

CVE-2025-34254

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to enumerate valid usernames on D-Link Nuclias Connect systems by observing different error messages in login responses. Attackers can determine which accounts exist on the server, facilitating targeted credential attacks. All systems running affected firmware versions are vulnerable.

💻 Affected Systems

Products:
  • D-Link Nuclias Connect
Versions: <= 1.3.1.4
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. The vulnerability exists in the web management interface.

📦 What is this software?

Nuclias Connect by Dlink

View all CVEs affecting Nuclias Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers build a complete list of valid usernames, then conduct targeted password attacks leading to unauthorized access and potential system compromise.

🟠

Likely Case

Attackers enumerate some valid usernames and use them for credential stuffing or targeted phishing campaigns.

🟢

If Mitigated

Attackers can still enumerate usernames but cannot gain access due to strong passwords and multi-factor authentication.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to the login endpoint and observation of response differences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not yet released

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

Restart Required: No

Instructions:

Monitor D-Link security advisories for patch release. Apply firmware update when available through Nuclias Connect web interface.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to Nuclias Connect management interface to trusted IP addresses only

Web Application Firewall

all

Configure WAF to normalize login error responses or block enumeration patterns

🧯 If You Can't Patch

  • Implement network segmentation to isolate Nuclias Connect from untrusted networks
  • Enable multi-factor authentication and enforce strong password policies

🔍 How to Verify

Check if Vulnerable:

Send POST requests to /login endpoint with valid and invalid usernames, compare error.message values in JSON responses

Check Version:

Check firmware version in Nuclias Connect web interface under System > About

Verify Fix Applied:

After patching, test that login responses return identical error messages regardless of username validity

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts with different usernames from same source
  • Unusual pattern of login requests testing various usernames

Network Indicators:

  • High volume of POST requests to /login endpoint
  • Requests with systematically varied username parameters

SIEM Query:

source_ip='*' AND destination_port=443 AND url_path='/login' AND http_method='POST' | stats count by source_ip, username | where count > threshold

📊 Metadata

CVE ID: CVE-2025-34254
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-204
EPSS Score: 0.05% exploit probability (15.3th percentile)
Published: October 16, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34254, you might also want to check these:

CVE-2025-46390 7.5

CVE-2025-46390 is an observable response discrepancy vulnerability (CWE-204) that allows attackers t...

Same vulnerability type (CWE-204)
CVE-2021-20049 7.5

CVE-2021-20049 is a username enumeration vulnerability in SonicWall SMA100's password change API tha...

Same vulnerability type (CWE-204)
CVE-2025-66307 6.5

This vulnerability in Grav's admin plugin allows attackers to enumerate valid usernames and discover...

Same vulnerability type (CWE-204)