Primary

Context

D-Link Nuclias Connect Observable Response Discrepancy Vulnerability in Forgot Password Endpoint

Vulnerability

A vulnerability allowing account enumeration through observable response discrepancies has been identified in D-Link Nuclias Connect firmware versions through 1.3.1.4. The 'Forgot Password' endpoint responds differently based on whether the supplied email address is linked to an existing account. This variation, reflected in the 'data.exist' boolean value, enables an unauthenticated remote attacker to enumerate valid email addresses or accounts on the server.

Impact

Exploitation of this vulnerability allows for enumeration of valid email addresses or accounts on the server.

Remediation

D-Link has announced that a fix is under development. Users are advised to update to version 1.3.1.4 Beta, available through the D-Link Nuclias Connect support page.

Added: Oct 16, 2025, 7:25 PM

Updated: Oct 16, 2025, 7:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

D-Link Nuclias Connect Observable Response Discrepancy Vulnerability in Forgot Password Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating