Boston, MA – A critical authentication bypass vulnerability, identified as CVE-2025-34143, has been disclosed in ETQ Reliance, a widely used quality management system (QMS) software. The vulnerability, discovered by the SLCyberSec Research Team (Assetnote) as part of their "Christmas in July" disclosures, allowed attackers to gain remote code execution (RCE) with an unusually simple method: adding a single space character to a login attempt.
The SLCyberSec Research Team, specifically researcher "shubs," announced the finding on social media, stating, "For our third installment of Christmas in July, the @SLCyberSec Research Team is disclosing a critical authentication bypass vulnerability in ETQ Reliance that leads to RCE (CVE-2025-34143). Surprisingly, all you needed was a space to bypass auth." This exploit allowed unauthorized access by manipulating the username field to log in as the privileged internal SYSTEM user, which does not require a password.
ETQ, a subsidiary of Hexagon, acknowledged the vulnerability and confirmed that it was addressed promptly. The company stated that the critical authentication bypass was resolved with an emergency patch applied to impacted environments in early April 2025. Additional fixes for other related vulnerabilities were completed in April and rolled out to customers in early June 2025 with ETQ Reliance release 2025.1.2.
The vulnerability's simplicity is particularly notable, as it allowed full administrative access by merely typing "SYSTEM " (with a trailing space) in the username field alongside any password. Researchers demonstrated that this authentication bypass could be escalated to RCE by exploiting ETQ Reliance’s custom Jython reporting feature, enabling command execution on the underlying Windows server.
Beyond CVE-2025-34143, the research uncovered three additional vulnerabilities: reflected cross-site scripting (CVE-2025-34141), XML External Entity injection (CVE-2025-34142), and another authentication bypass (CVE-2025-34140). ETQ has expressed gratitude to the customer who responsibly reported these security concerns, emphasizing the role of external reporting in strengthening product security. The company has stated there is no evidence to indicate any exploitation in the wild.