ETQ Reliance RCE Flaw Grants Full SYSTEM Access with a Single Space

Hexagon ETQ’s Java-based quality management system, ETQ Reliance, has several serious flaws, according to a new security research revelation by Assetnote.

The software, which facilitates document and form management with integrations like Microsoft Word macros and Jython scripting, has been found susceptible to exploits ranging from reflected cross-site scripting (XSS) to XML External Entity (XXE) injection, authentication bypass, and remote code execution (RCE).

Despite its popularity and exposure of sensitive documents online, ETQ Reliance had no prior CVEs registered, making it a prime target for analysis.

The flaws, assigned CVEs 2025-34140 through 2025-34143, were responsibly disclosed, leading to patches in NXG Release 2025.1.2.

Researchers began by scrutinizing the application’s web.xml configuration, identifying unsecured servlets like SQLConverterServlet, which exposes a developer-oriented interface for SQL query conversion across vendors such as MySQL, PostgreSQL, and Oracle.

Vulnerability Chain Exposed

A reflected XSS vulnerability (CVE-2025-34141) arises from inadequate sanitization in the servlet’s doGet method, where user-supplied parameters like MySQLStm are directly echoed into HTML output via PrintWriter, enabling arbitrary JavaScript injection pre-authentication.

Delving deeper into the SSOFilter at /resources/sessions/sso, the team identified an XXE injection flaw (CVE-2025-34142) in the SamlAuthenticationModule.

The parseXmlMessage function in SAMLManager employs a DocumentBuilderFactory without disabling external entity resolution, allowing attackers to submit malicious SAMLResponse payloads that trigger outbound requests or file disclosures.

In environments with restricted outbound traffic, exploitation escalates by leveraging Java’s error handling in the Location header, where unknown protocols echo full URLs.

By incorporating parameter entities and repurposing local Windows DTDs like cim20.dtd, attackers can exfiltrate file contents such as C:\Windows\win.ini via encoded error messages, bypassing XML spec restrictions on entity placement.

This technique also enables directory listings, though limited by prohibitions on characters like ‘

Authentication Bypass

The most striking discovery is an authentication bypass (CVE-2025-34143) in the login mechanism, where appending a single trailing space to the username “SYSTEM” grants full access to the internal SYSTEM account without password validation.

In UserManager.java, the resolveUser function checks for “SYSTEM” case-insensitively but fails to trim whitespace, throwing an AppException for exact matches while proceeding for “SYSTEM “.

According to the Report, Due to MySQL’s default collation treating “SYSTEM” and “SYSTEM ” as equivalent in database fetches, the User constructor sets the system flag to true, skipping the authenticate(pwd) call entirely.

This allows login with arbitrary passwords, exposing the SYSTEM account intended for internal operations.

Compounding this, another bypass (CVE-2025-34140) involves appending “;localized-text” to URIs, though less detailed in the disclosure.

From this foothold, escalation to RCE is straightforward via ETQ’s Jython-based reporting engine.

As the SYSTEM user, modifying report scripts such as injecting subprocess.Popen calls to execute commands like “cmd.exe /c dir” results in arbitrary code execution when the report renders.

This chain transforms a simple input quirk into full system compromise. Assetnote’s findings underscore the perils of overlooked edge cases in enterprise Java applications, where abstractions like collation behaviors and untrimmed inputs create subtle attack vectors.

Hexagon ETQ’s advisory confirms patches, urging immediate updates to mitigate risks of data exfiltration, unauthorized access, and RCE in production environments.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!