ETQ has always taken an aggressive and thorough stance when it comes to security and the security of our customers’ ETQ Reliance® installations and data. We will periodically post security updates that outline recent vulnerabilities uncovered and remediation efforts taken as a means of being as transparent as possible, without creating additional security challenges for ETQ and its customers.

Summary:

In April 2025, ETQ validated and resolved four separate vulnerabilities impacting the ETQ Reliance platform. These vulnerabilities varied in severity and, as per our established DevSecOps practices, they were resolved in a timely manner. A critical authentication bypass vulnerability was addressed immediately and fixed with an emergency patch applied to impacted environments in early April. Fixes for the other three vulnerabilities were completed in April and added to ETQ Reliance release 2025.1.2, rolled out to customers in early June 2025. All vulnerabilities were responsibly disclosed and there has been no evidence to indicate any exploitation in the wild.

Intro: 

On April 1, 2025, ETQ was made aware of a critical, customer-reported security vulnerability in our legacy CG platform.

While working the critical vulnerability from April 1, a separate, external security disclosure was received on April 6, 2025 detailing 3 additional security vulnerabilities. This disclosure contained 4 total vulnerabilities; however, one was a duplicate of the critical vulnerability reported on April 1st.

It was later determined that the April 6 disclosure was also the original source of the April 1 customer-reported vulnerability. As such, we treated all 4 of these vulnerabilities as a singular security event.

This article will provide information about each vulnerability, its root cause and how it has been fixed. We have also included a timeline of the events.

Vulnerability Information: 

While many software vulnerabilities are tracked by CVE ID issued by The MITRE Corporation, ETQ does not obtain CVE IDs for vulnerabilities within the ETQ Reliance platform. Instead, these vulnerabilities are tracked independently by our own numbering scheme. Throughout this article, we will reference vulnerabilities by EVE ID – or ETQ Vulnerabilities and Exposures – instead. We do, however, utilize the Common Vulnerability Scoring System (CVSS)1 to provide a standardized numerical score for ETQ Reliance vulnerabilities.

EVE-70: Authentication Bypass 

Severity: Critical (CVSS 9.8) 

Platform(s) Impacted: CG (legacy) 

Fix Version: MP-4583 

The Issue 

An attacker with network access to the login page could bypass proper authentication through manipulating an internal-only username. Doing so allows an attacker privileged access to the underlying system. Additional login attempts would fail until the current session expired – after which the vulnerability could be exploited again.

Root Cause 

The login process failed to implement proper input validation. This resulted in the mishandling of logic related to the internal user account. 

Fix Implemented 

Additional authentication logic was implemented to completely prevent the internal user from being processed by the standard user authentication flow. 

EVE-71: API Authorization Bypass 

Severity: High (CVSS 7.8) 

Platform(s) Impacted: CG (legacy), NXG (SaaS) 

Fix Version: SE.2025.1, 2025.1.2 

The Issue 

An attacker could append a specific string to API calls which bypassed API authorization checking. This resulted in unauthorized access to certain limited API resources. Role-based access control (RBAC) is also implemented and prevented access to many API resources. However, there were specific API resources vulnerable to this attack vector where RBAC was not enforced. 

Root Cause 

The logic used to authorize certain API resources was improperly configured. This resulted in the authorization bypass by appending a specific string to an API call. 

Fix Implemented 

The misconfiguration was removed and API logic refactored to prevent exposing API resources that should require authorization. 

EVE-72: Cross Site Scripting (XSS) via Java Servlet 

Severity: Medium (CVSS 5.3) 

Platform(s) Impacted: CG (legacy) 

Fix Version: SE.2025.1 

The Issue 

An attacker could interact directly with a Java servlet and potentially pass a malicious cross-site scripting (XSS) payload. This is not a stored payload, but rather a passive technique that would require additional social engineering for any impact. 

Root Cause 

Access to a specific Java servlet that interacts with the SQL database was improperly exposed to authenticated users. 

Fix Implemented 

The improper exposure of the Java servlet to authenticated users was removed since users do not need to interface directly with the servlet. 

EVE-73: XML External Entity Injection (XXE) 

Severity: High (CVSS 8.2) 

Platform(s) Impacted: CG (legacy) 

Fix Version: SE.2025.1

The Issue 

An attacker could modify XML data, used in one specific process, to execute an XML external entity injection (XXE) attack. This can lead to the retrieval of sensitive information and/or data exfiltration from the system. 

Root Cause 

The processing of XML external entities in XML data was not disabled for this specific process. 

Fix Implemented 

The processing of XML external entities in XML data for this process has been disabled per security best practices.

Timeline of Events:

EVE-70

EVE-71, EVE-72, EVE-73,

May 6, 2025CG release SE.2025.1 fully tested and validatedMay 6, 2025CG release SE.2025.1 fully tested and validatedMay 6, 2025CG release SE.2025.1 fully tested and validated

Conclusion: 

We are grateful to the customer who promptly and responsibly reported these security concerns to us after learning about them. While we rigorously test and monitor our systems and software for security vulnerabilities internally, we also recognize the role our customers play in helping us further strengthen our product. We appreciate the collaborative effort and encourage responsible disclosure of security concerns to help facilitate a safer experience for everyone utilizing our products. 

We recognize that ETQ Reliance is a critical software component in many industry verticals. For this reason, we take the security of our software seriously and treat all security disclosures with the urgency and action warranted. We want to assure you that ETQ is committed to building industry-leading QMS software held to the highest security standards. We believe that quality and security go hand-in-hand, and we are proud to stand alongside our customers as partners in their quality journey. We trust that the transparency of this disclosure and timeliness of correcting the vulnerabilities will speak to that commitment.