CVE-2025-34255 is an information disclosure vulnerability classified under CWE-204 (Observable Response Discrepancy) affecting D-Link Nuclias Connect firmware versions 1.3.1.4 and earlier. The vulnerability arises from the 'Forgot Password' API endpoint, which returns JSON responses containing a boolean field `data.exist` that differs depending on whether the submitted email address corresponds to a registered account. Because the responses are distinguishable, an unauthenticated remote attacker can enumerate valid email addresses registered on the system by submitting various email inputs and observing the response differences. This flaw does not require authentication, user interaction, or elevated privileges, and can be exploited over the network (AV:N). The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and the confidentiality impact. The vulnerability does not impact integrity or availability, nor does it require user interaction or authentication. No public exploits have been reported yet, but the information leakage can facilitate further attacks such as targeted phishing, credential stuffing, or brute-force attempts. D-Link has acknowledged the vulnerability and is working on a patch, but no official fix is currently available. Organizations using affected Nuclias Connect devices should be aware of this risk and monitor for updates.

For European organizations, this vulnerability primarily threatens the confidentiality of user account information by enabling attackers to confirm valid email addresses associated with Nuclias Connect accounts. This can lead to increased risk of targeted phishing campaigns, social engineering, and credential-based attacks against employees or administrators. While the vulnerability does not directly compromise system integrity or availability, the information disclosure can be a stepping stone for more sophisticated attacks. Organizations in sectors such as telecommunications, education, government, and enterprises that deploy D-Link Nuclias Connect for network management may face elevated risks. The exposure of valid user accounts could undermine trust and lead to regulatory compliance issues under GDPR, especially if personal data is involved. Although no active exploitation is known, the ease of exploitation and lack of authentication requirements make timely mitigation important to prevent reconnaissance by malicious actors.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Monitor D-Link communications and security advisories closely for the official patch release and apply updates promptly once available. 2) Restrict access to the Nuclias Connect management interface and its API endpoints by implementing network segmentation and firewall rules that limit access to trusted IP ranges only. 3) Employ web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) to detect and block anomalous requests targeting the 'Forgot Password' endpoint, such as high-frequency or pattern-based email enumeration attempts. 4) Implement rate limiting and CAPTCHA challenges on the 'Forgot Password' functionality to hinder automated enumeration attempts. 5) Educate users and administrators about phishing risks and encourage strong, unique passwords combined with multi-factor authentication (MFA) where possible to reduce the impact of credential harvesting. 6) Regularly audit logs for suspicious activity related to password reset requests and investigate anomalies promptly. 7) Consider temporarily disabling or customizing the 'Forgot Password' feature if feasible until a patch is applied to prevent information leakage.