关键信息 漏洞名称: D-Link Nuclias Connect <= v1.3.1.4 Login Account Enumeration 严重性: MEDIUM 日期: October 16, 2025 影响版本: Nuclias Connect <= 1.3.1.4 CVE编号: CVE-2025-34254 CWE类型: CWE-204 Observable Response Discrepancy CVSS评分: 6.9 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:PR/N/UI/N/VC:L/V:E/N/VA:N/SC:N/SI:N/SA:N 参考链接: - D-Link Advisory - D-Link Nuclias Connect 发现者: Alex Williams from Pellera Technologies 描述: - D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the 'errormessage' string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.