CVE-2025-34248 | THREATINT

Description

D-Link Nuclias Connect firmware versions < 1.3.1.4 contain a directory traversal vulnerability within /api/web/dnc/global/database/deleteBackup due to improper sanitization of the deleteBackupList parameter. This can allow an authenticated attacker to delete arbitrary files impacting the integrity and availability of the system.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-09 | Updated 2025-10-10 | Assigner VulnCheck

HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

* before 1.3.1.4

affected

Credits

Alex Williams from Pellera Technologies finder

References

www.vulncheck.com/...ry-traversal-to-arbitrary-file-deletion third-party-advisory

www.dlink.com/en/for-business/nuclias/nuclias-connect product

cve.org (CVE-2025-34248)

nvd.nist.gov (CVE-2025-34248)

Download JSON