A serious flaw in the quality management software ETQ Reliance allowed the attacker to gain full access to the administration system simply by adding a space to the login name.

ETQ.png

Tracked with code CVE-2025-34143, the vulnerability was of the strangest authentication – through – elimination ever discovered in enterprise software. Simply enter ” SYSTEM ” (with a space at the end) into the username field along with any other passwords, and your system will grant you full access.

This vulnerability resulted in the ability to fully hijack and remotely execute code on the system. Researchers from Assetnote discovered this incident by chance during a routine security review of ETQ Reliance, a document management platform widely used around the world. Despite its high level of deployment, the software has never been subjected to a deep security check and no CVE has been recorded before.

The initial detection came from an unusual error when the team tried to log in with the “SYSTEM” account. Instead of falsely reporting the account, the system returns a notice that the account is for internal use only. When the group changes and adds a space to ” SYSTEM “, the authentication mechanism immediately fails completely, allowing access to the entire system with all passwords.

The reason lies in the way the heterogeneous string is handled in authentication logic. Although the software uses equalsIgnoreCase() to block the “SYSTEM” account, this syntax does not detect cases with spaces. Notably, the database query layer again uses MySQL with default collation (how to compare and sort character strings), treating “SYSTEM” and “SySTeM” as the same. The result is that the system returns a valid user object and the next initialization code correctly compares the username “SYSTEM”, thus setting the system flag and skipping the password check step.

Researchers exploited this authentication loophole to achieve remote code execution by taking advantage of the custom Jython reporting feature in ETQ Reliance. By inserting malicious Python code into the system report, they can execute the command directly on the Windows platform server

The vulnerability affects all versions of ETQ Reliance prior to NXG Release 2025.1.2. Exploitation just accessed the login interface without requiring authentication or any technical tools. CVSS 3.1 rated the severity as critical.

In addition to CVE – 2025-34143, the study found three other serious gaps:

  • CVE-2025-34141: XSS reflector in SQL ComponentConverterServlet
  • CVE-2025-34142: Insert XML External Entity in SSO SAML processor
  • CVE-2025-34140: Ignoring authentication via URI suffix containing localized text

Hexagon ETQ released patches for all of the holes in NXG Release 2025.1.2. The company recommends that organizations update immediately to prevent the risk of exploitation from these serious security vulnerabilities.

According to Cyber Press