ETQ Reliance RCE Flaw Grants Full SYSTEM Access with a Single Space

Hexagon ETQ’s Java-based quality management system, ETQ Reliance, has several serious flaws, according to a new security research revelation by Assetnote.

The software, which facilitates document and form management with integrations like Microsoft Word macros and Jython scripting, has been found susceptible to exploits ranging from reflected cross-site scripting (XSS) to XML External Entity (XXE) injection, authentication bypass, and remote code execution (RCE).

Despite its popularity and exposure of sensitive documents online, ETQ Reliance had no prior CVEs registered, making it a prime target for analysis.

The flaws, assigned CVEs 2025-34140 through 2025-34143, were responsibly disclosed, leading to patches in NXG Release 2025.1.2.

Researchers began by scrutinizing the application’s web.xml configuration, identifying unsecured servlets like SQLConverterServlet, which exposes a developer-oriented interface for SQL query conversion across vendors such as MySQL, PostgreSQL, and Oracle.

Vulnerability Chain Exposed

A reflected XSS vulnerability (CVE-2025-34141) arises from inadequate sanitization in the servlet’s doGet method, where user-supplied parameters like MySQLStm are directly echoed into HTML output via PrintWriter, enabling arbitrary JavaScript injection pre-authentication.

Delving deeper into the SSOFilter at /resources/sessions/sso, the team identified an XXE injection flaw (CVE-2025-34142) in the SamlAuthenticationModule.

The parseXmlMessage function in SAMLManager employs a DocumentBuilderFactory without disabling external entity resolution, allowing attackers to submit malicious SAMLResponse payloads that trigger outbound requests or file disclosures.

In environments with restricted outbound traffic, exploitation escalates by leveraging Java’s error handling in the Location header, where unknown protocols echo full URLs.

By incorporating parameter entities and repurposing local Windows DTDs like cim20.dtd, attackers can exfiltrate file contents such as C:Windowswin.ini via encoded error messages, bypassing XML spec restrictions on entity placement.

This technique also enables directory listings, though limited by prohibitions on characters like ‘<‘ or ‘”‘ and entity expansion size constraints.

Authentication Bypass

The most striking discovery is an authentication bypass (CVE-2025-34143) in the login mechanism, where appending a single trailing space to the username “SYSTEM” grants full access to the internal SYSTEM account without password validation.

In UserManager.java, the resolveUser function checks for “SYSTEM” case-insensitively but fails to trim whitespace, throwing an AppException for exact matches while proceeding for “SYSTEM “.

According to the Report, Due to MySQL’s default collation treating “SYSTEM” and “SYSTEM ” as equivalent in database fetches, the User constructor sets the system flag to true, skipping the authenticate(pwd) call entirely.

This allows login with arbitrary passwords, exposing the SYSTEM account intended for internal operations.

Compounding this, another bypass (CVE-2025-34140) involves appending “;localized-text” to URIs, though less detailed in the disclosure.

From this foothold, escalation to RCE is straightforward via ETQ’s Jython-based reporting engine.

As the SYSTEM user, modifying report scripts such as injecting subprocess.Popen calls to execute commands like “cmd.exe /c dir” results in arbitrary code execution when the report renders.

This chain transforms a simple input quirk into full system compromise. Assetnote’s findings underscore the perils of overlooked edge cases in enterprise Java applications, where abstractions like collation behaviors and untrimmed inputs create subtle attack vectors.

Hexagon ETQ’s advisory confirms patches, urging immediate updates to mitigate risks of data exfiltration, unauthorized access, and RCE in production environments.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now