BURSTA significant vulnerability in ETQ Reliance quality management software allows attackers to gain full administrative access by simply adding a single space character to a login attempt.
The flaw, tracked as CVE-2025-34143, represents one of the most unusual authentication bypass vulnerabilities discovered in enterprise software, requiring no sophisticated techniques, just typing “SYSTEM ” (with a trailing space) in the username field along with any password grants complete system access.
Key Takeaways
1. Typing "SYSTEM " (with a space) and any password grants full admin access to ETQ Reliance systems.
2. Enables complete system takeover and remote code execution.
3. Update to NXG Release 2025.1.2 immediately.
ETQ Reliance RCE Vulnerability
Assetnote discovered the vulnerability almost accidentally during a routine security assessment of ETQ Reliance, a popular document management system used by organizations worldwide.
Despite being widely deployed, the software had never received significant security research attention, with no previously registered CVEs in its history.
The researchers initially encountered an unusual error when attempting to log in with the username “SYSTEM”—instead of the typical “Invalid username/password” message, the system returned a specific error stating the account was “designated for internal use only”. This prompted further investigation that led to the critical discovery.
When researchers modified their approach by appending a single space to create “SYSTEM ” as the username, the authentication mechanism completely failed.
The application granted full access to the SYSTEM account regardless of the password used. This account provides extensive privileges within the ETQ Reliance environment, effectively compromising the entire system.
The vulnerability stems from inconsistent string handling in the application’s authentication logic.
The code initially checks if the username equals “SYSTEM” using equalsIgnoreCase(), which would block direct access. However, when a trailing space is added, this check fails, allowing the authentication process to continue.
The critical flaw occurs in the database query layer, where MySQL’s default collation treats ‘SYSTEM’ and ‘SYSTEM ‘ as equivalent strings.
This means the database successfully returns the SYSTEM user object even with the trailing space. Subsequently, the application’s user initialization code checks if the retrieved username equals “SYSTEM” and, finding a match, sets a system flag that bypasses password validation entirely.
The researchers demonstrated that this authentication bypass could be escalated to remote code execution (RCE) by exploiting ETQ Reliance’s custom Jython reporting feature.
By modifying system reports with malicious Python code, they achieved command execution on the underlying Windows server.
| Risk Factors | Details |
| Affected Products | ETQ Reliance (all versions prior to NXG Release 2025.1.2) |
| Impact | Remote Code Execution |
| Exploit Prerequisites | – Access to ETQ Reliance login screen- No authentication required- No special tools or technical knowledge needed |
| CVSS 3.1 Score | Critical |
Beyond the primary authentication bypass, the research uncovered three additional vulnerabilities: reflected cross-site scripting in SQLConverterServlet (CVE-2025-34141), XML External Entity injection in the SSO SAML handler (CVE-2025-34142), and another authentication bypass via localized-text URI suffix (CVE-2025-34140).
Hexagon ETQ has released patches addressing these vulnerabilities in NXG Release 2025.1.2.
The company emphasizes that organizations should immediately update their installations to prevent potential exploitation of these critical security flaws.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post ETQ Reliance RCE Vulnerability Enables Full SYSTEM Access Just by Typing a Single Space appeared first on Cyber Security News.