A routine investigation by security researchers at Assetnote has uncovered a series of critical vulnerabilities in Hexagon ETQ’s Reliance, an enterprise-grade quality management system deployed by thousands of organizations globally.
In a finding reminiscent of early 2000s web insecurities, researchers demonstrated how a single unintended space character in the login input could break the fundamental security of the application, granting full SYSTEM-level access and remote code execution (RCE).
Chained Bugs: From XSS to Pre-Auth RCE
ETQ Reliance, commonly used for document and form management within regulated industries, has long flown under the radar of security researchers.
Assetnote’s deep dive revealed four significant vulnerabilities (now designated CVE-2025-34140 to CVE-2025-34143), touching on classic attack vectors such as XSS and XXE, but most alarmingly, a trivial authentication bypass with grave consequences.
In a technical breakdown, researchers examined the application’s Java monolith codebase. One servlet exposed a reflected XSS flaw allowing attackers to inject JavaScript via crafted parameters.
A second flaw, a pre-authentication XML External Entity (XXE) injection via the SAML-based Single Sign-On handler, allowed attackers to read arbitrary files from the server’s file system by sending maliciously crafted SAML responses.
The error messages inadvertently included file contents or directory listings in HTTP response headers, a clear violation of security best practices.
The “Space” That Shattered Security
The most staggering discovery came when researchers attempted to log in as the internal SYSTEM user by simply adding a trailing space character to the username (“SYSTEM ”).
Usually, direct SYSTEM logins are blocked; however, this bypasses checks within the resolveUser function, due to inconsistent trimming and collation handling in both Java code and the underlying MySQL database.
MySQL’s default collation makes ‘SYSTEM’ and ‘SYSTEM ’ equivalent, so the database happily returned the SYSTEM user record. But, crucially, after matching, the password validation was skipped entirely for this special account.
Researchers then escalated this access to full RCE by leveraging ETQ Reliance’s form report feature, which allowed attackers to inject arbitrary Jython code executed with SYSTEM privileges, including running OS shell commands.
Hexagon responded swiftly, releasing ETQ Reliance NXG 2025.1.2 to address these flaws. Organizations using ETQ Reliance are urged to upgrade immediately and review system logs for suspicious SYSTEM logins.
Assetnote’s research is a sobering reminder: sometimes the most devastating vulnerabilities lurk behind the simplest mistakes. A single keystroke can be all it takes to bring down Walled Gardens designed for enterprise security.
