CVE-2025-34140 is a high-severity authorization bypass vulnerability affecting ETQ Reliance legacy CG and NXG SaaS platforms. The vulnerability arises from a misconfiguration in the API authorization logic, specifically related to user-controlled keys in URI requests. An unauthenticated attacker can exploit this flaw by appending a crafted URI suffix to certain API endpoints, thereby bypassing access control mechanisms and retrieving sensitive resources that should otherwise be protected. This vulnerability is classified under CWE-639, which pertains to authorization bypass through user-controlled keys. The root cause is improper validation and enforcement of authorization checks on API requests, allowing unauthorized data access without requiring any authentication or user interaction. The vendor has addressed this issue in subsequent releases SE.2025.1 and 2025.1.2, correcting the authorization logic to prevent such bypasses. The CVSS 4.0 base score is 8.7, reflecting the vulnerability's ease of exploitation (network vector, no privileges or user interaction required) and the high impact on confidentiality due to unauthorized data disclosure. No known active exploits have been reported in the wild yet, but the vulnerability's nature and severity make it a critical risk if left unpatched. Organizations using ETQ Reliance legacy CG or NXG SaaS platforms should prioritize patching and review their API security configurations to mitigate potential exploitation.

For European organizations using ETQ Reliance legacy CG or NXG SaaS platforms, this vulnerability poses a significant risk to the confidentiality of sensitive data managed within these systems. Since the flaw allows unauthenticated attackers to bypass authorization controls and access restricted resources, it could lead to unauthorized disclosure of proprietary, regulatory, or personal data. This is particularly critical for industries with stringent data protection requirements such as healthcare, manufacturing, pharmaceuticals, and finance, where ETQ Reliance is commonly deployed for quality, compliance, and risk management. The exposure of sensitive information could result in regulatory penalties under GDPR, reputational damage, and operational disruptions. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if sensitive configuration or credential data is accessed. Although no active exploits are currently known, the ease of exploitation and lack of authentication requirements increase the urgency for European entities to address this vulnerability promptly to prevent potential data breaches and compliance violations.

European organizations should immediately verify if they are running affected versions of ETQ Reliance legacy CG or NXG SaaS platforms. The primary mitigation is to apply the vendor-released patches SE.2025.1 or 2025.1.2, which correct the API authorization logic. If immediate patching is not feasible, organizations should implement compensating controls such as restricting network access to ETQ API endpoints via firewall rules or VPNs, enforcing strict API gateway policies that validate and sanitize URI parameters, and monitoring API logs for unusual access patterns or suspicious URI suffixes indicative of exploitation attempts. Conducting a thorough audit of API authorization configurations and performing penetration testing focused on API access controls can help identify residual weaknesses. Additionally, organizations should review and enhance their incident detection capabilities to quickly identify unauthorized data access. Finally, ensure that all ETQ platform instances are running the latest supported versions and that security configurations align with vendor best practices to prevent similar authorization bypass issues.