Primary

Context

D-Link Nuclias Connect Observable Response Discrepancy Vulnerability in Login Endpoint Username Enumeration

Vulnerability

A vulnerability allowing username enumeration has been identified in D-Link Nuclias Connect firmware versions through 1.3.1.4. This issue arises from an observable response discrepancy in the application's 'Login' endpoint, which returns different JSON responses based on whether the supplied username exists. The variation in the 'error.message' string value enables an unauthenticated remote attacker to enumerate valid usernames on the server.

Impact

Exploitation of this vulnerability allows for the enumeration of valid usernames or accounts on the server.

Remediation

D-Link has announced that a fix is under development. Users are advised to update to version 1.3.1.4 Beta, available through the D-Link Nuclias Connect support page.

Added: Oct 16, 2025, 7:26 PM

Updated: Oct 16, 2025, 7:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

D-Link Nuclias Connect Observable Response Discrepancy Vulnerability in Login Endpoint Username Enumeration

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating