CVE-2025-34140
Published: 22 July 2025
Summary
CVE-2025-34140 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Etq (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An authorization bypass vulnerability exists in ETQ Reliance on the legacy CG and NXG SaaS platforms. The flaw stems from a misconfiguration in API authorization logic that allows an unauthenticated attacker to retrieve limited sensitive resources by appending a specific URI suffix to certain endpoints. The issue is tracked as CWE-639 and carries a CVSS 4.0 score of 8.7 reflecting network-accessible exploitation with high confidentiality impact and no required authentication or user interaction.
An unauthenticated remote attacker can exploit the weakness to bypass access-control checks on affected API endpoints and obtain restricted data that would otherwise be protected. Because the attack requires no credentials or special positioning, it can be carried out from anywhere on the network against exposed instances of the legacy platforms.
Vendor guidance states that the authorization logic has been corrected in SE.2025.1 and 2025.1.2. ETQ has published an advisory at etq.com along with a product overview, and additional technical detail is available from VulnCheck.
EPSS remains low and unchanged at a peak of 0.0109, indicating no material increase in observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22313
Vulnerability details
An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause…
more
was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.