CVE-2025-34248

Vulnerability

Details

CVE-2025-34248 is a directory traversal vulnerability in D-Link Nuclias Connect firmware versions prior to 1.3.1.4 [2]. The flaw resides in the /api/web/dnc/global/database/deleteBackup endpoint, where the deleteBackupList parameter is not properly sanitized [3]. This allows an attacker to break out of the intended backup directory and reference arbitrary files on the system.

Exploitation

Prerequisites

An attacker must be authenticated to the Nuclias Connect management interface and must be able to send crafted HTTP requests to the vulnerable API endpoint [2]. No special privileges beyond standard user authentication are required, and the attack is network-based with low complexity [3].

Impact

Successful exploitation enables an authenticated attacker to delete arbitrary files on the appliance [3]. This can lead to denial of service (availability impact) and potential integrity loss if critical system files are removed [2]. No confidentiality impact is expected, but the effect on system operation can be severe.

Mitigation

D-Link has addressed this vulnerability in Nuclias Connect firmware version 1.3.1.4 and later (including 1.3.1.5) [2]. Users are advised to update to the latest firmware version immediately. The vendor has acknowledged the report and provided patches [2].