CVE-2025-34140

Summary

An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2.

Affected Software

VendorProductVersion RangeStatus
ETQReliance CG (legacy)0 < SE.2025.1affected
ETQReliance CG (legacy)SE.2025.1unaffected
ETQReliance NXG (SaaS)0 < 2025.1.2affected
ETQReliance NXG (SaaS)2025.1.2unaffected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References