CVE-2025-34248 | HackTesting

D-Link Nuclias Connect firmware versions < 1.3.1.4 contain a directory traversal vulnerability within /api/web/dnc/global/database/deleteBackup due to improper sanitization of the deleteBackupList parameter. This can allow an authenticated attacker to delete arbitrary files impacting the integrity and availability of the system.

Credits

Alex Williams from Pellera Technologies

References

https://www.vulncheck.com/advisories/dlink-nuclias-connect-directory-traversal-to-arbitrary-file-deletion

https://www.dlink.com/en/for-business/nuclias/nuclias-connect

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10472