Quadient DS-700 iQ Kiosk Mode Breakout Vulnerability Allowing Local Administrative Access

A race condition vulnerability has been identified in Quadient DS-700 iQ devices, through versions prior to September 30, 2025. The issue arises from a rapid sequence of clicks on specific control panel buttons, creating a race condition that can crash the application running in kiosk mode. This crash inadvertently exposes the underlying Windows operating system, allowing unauthorized access to local administrative privileges. The vulnerability is compounded by physical access to an unsecured external controller PC, which can be exploited to connect malicious USB devices or directly manipulate the system via emulated keyboard and mouse inputs.

Impact

Exploitation of this vulnerability bypasses kiosk mode restrictions, granting full administrative access to the Windows operating system. This access can be used to disable security features, install unauthorized software, and execute commands with elevated privileges. Additionally, the lack of physical security for the external controller PC allows for direct manipulation of the system, further escalating the potential for abuse.

Reproduction

The vulnerability can be reproduced by clicking the 'Question Mark' button, followed by the 'Help' button, the 'About' button, and then the 'Help' button again in quick succession. This sequence creates a race condition that causes the application to crash, exiting kiosk mode and revealing the Windows operating system. Once access to the OS is gained, the touchscreen can be used to execute various commands, including launching applications or establishing remote connections.

Remediation

Quadient is recommended to revise the operating system's user privilege management to prevent the Neopost account from having local administrative rights. Additionally, implementing a lock-pick resistant solution for the External Controller PC cabinet, restricting USB port access to authorized devices only, and enhancing physical security measures can help mitigate the risk. Clients are advised to install endpoint detection and response software, monitor physical access to the Quadient machine, and segment the device from the active directory network.