CVE-2025-34248 - Vulnerability Details

D-Link Nuclias Connect firmware versions < 1.3.1.4 contain a directory traversal vulnerability within /api/web/dnc/global/database/deleteBackup due to improper sanitization of the deleteBackupList parameter. This can allow an authenticated attacker to delete arbitrary files impacting the integrity and availability of the system.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
D-link	Nuclias Connect

No data.

References

Link	Providers
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472
https://www.dlink.com/en/for-business/nuclias/nuclias-connect
https://www.vulncheck.com/advisories/dlink-nuclias-connect-directory-traversal-to-arbitrary-file-deletion

History

Tue, 14 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
References		https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472

Fri, 10 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 10 Oct 2025 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link nuclias Connect
Vendors & Products		D-link D-link nuclias Connect

Thu, 09 Oct 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		D-Link Nuclias Connect firmware versions < 1.3.1.4 contain a directory traversal vulnerability within /api/web/dnc/global/database/deleteBackup due to improper sanitization of the deleteBackupList parameter. This can allow an authenticated attacker to delete arbitrary files impacting the integrity and availability of the system.
Title		D-Link Nuclias Connect < v1.3.1.4 Directory Traversal to Arbitrary File Deletion
Weaknesses		CWE-22
References		https://www.dlink.com/en/for-business/nuclias/nuclias-connect https://www.vulncheck.com/advisories/dlink-nuclias-connect-directory-traversal-to-arbitrary-file-deletion
Metrics		cvssV4_0 `{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-10-09T20:43:53.064Z

Updated: 2025-10-14T12:48:28.137Z

Reserved: 2025-04-15T19:15:22.577Z

Link: CVE-2025-34248

Vulnrichment

Updated: 2025-10-10T14:30:09.817Z

NVD

Status : Awaiting Analysis

Published: 2025-10-09T21:15:35.557

Modified: 2025-10-14T19:37:28.107

Link: CVE-2025-34248

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object