The vulnerability identified as CVE-2025-34255 affects D-Link Nuclias Connect firmware versions up to 1.3.1.4. It is classified under CWE-204, which involves observable response discrepancies that can be exploited for information disclosure. Specifically, the 'Forgot Password' API endpoint returns a JSON response containing a 'data.exist' boolean field that differs based on whether the provided email address corresponds to a valid account. This difference in response allows an unauthenticated remote attacker to enumerate valid email addresses registered on the system without any authentication or user interaction. The vulnerability arises due to improper handling of error messages and response content that inadvertently leaks user existence information. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, and limited impact confined to confidentiality (user enumeration). D-Link has confirmed the issue and is working on a patch, but no fixes are currently available. No known exploits have been reported in the wild, but the flaw can be leveraged as a reconnaissance step in targeted attacks against organizations using Nuclias Connect devices.

This vulnerability primarily impacts the confidentiality of user information by enabling attackers to enumerate valid email addresses/accounts on affected Nuclias Connect devices. Such information disclosure can facilitate targeted phishing campaigns, social engineering, credential stuffing, or brute force attacks against valid accounts. While the vulnerability does not directly allow unauthorized access or system compromise, it lowers the barrier for attackers to identify legitimate users, increasing the risk of subsequent attacks. Organizations relying on Nuclias Connect for network management or access control may face increased exposure of user data, potentially leading to privacy violations and reputational damage. The scope is limited to devices running vulnerable firmware versions, but given the widespread use of D-Link networking products globally, the impact could be significant in sectors such as education, SMBs, and enterprises that deploy Nuclias Connect solutions.

Organizations should immediately monitor D-Link communications for the release of the official patch and apply it promptly once available. In the interim, administrators can implement the following mitigations: 1) Restrict access to the Nuclias Connect management interface and its API endpoints to trusted internal networks or VPNs to reduce exposure to unauthenticated remote attackers. 2) Employ web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) to detect and block suspicious enumeration patterns targeting the 'Forgot Password' endpoint. 3) Review and harden password reset workflows to minimize information leakage, potentially by standardizing responses regardless of email validity. 4) Educate users and administrators about phishing risks that may arise from leaked account information. 5) Monitor logs for unusual activity related to password reset requests to detect enumeration attempts early. These steps help reduce the attack surface until a vendor patch is deployed.