The Quadient DS-700iQ is a high-volume folder-inserter machine designed for automating the process of assembling, folding, and inserting mail into envelopes for large mailing operations. It features a modular design that can handle complex mailing jobs, supports multiple feeders and enclosures, and offers integration with barcode/OMR/2D scanning for document integrity and sorting. The DS-700iQ is particularly suited for industries that require high-volume mail processing, such as billing, banking, and direct marketing.
In other words, it’s basically a super-fast, automated mailroom machine. Used by various industries for folding materials that get paired with addresses, etc. Large companies that send out bills, bank statements, credit cards, or marketing fliers typically use devices like this rather than package by hand.
Figure 1. Example of the Quadient DS-700iQ machine
Common Vulnerabilities and Exposures
CVE-2025-TBD : Improper Privilege Management in Quadient DS-700iQ folder inserter
The Quadient DS-700iQ folder inserter runs its underlying Windows operating system (OS) under a local administrator account named "neopost." Given that this account is a member of the local administrators group, it has complete and unrestricted access to the device. An attacker who gains physical or logical access to the device could exploit the default configuration to escape the restricted interface (kiosk mode breakout) and obtain full administrative privileges to the OS. This vulnerability could allow attackers to disable security controls, install malware, dump credentials, or install network interfaces to establish outbound connections, significantly compromising the security posture of the environment.
Common Weakness Enumeration
CWE-1263: Improper Physical Access Controls
The Quadient DS-700iQ exposes its External Controller PC in an unsecured cabinet, allowing unrestricted physical access to the system. The exposed USB ports and power button can allow an attacker to connect unauthorized devices or reboot the system into an attacker-controlled OS, leading to full compromise. Given that the OS runs under a local admin account, physical access translates directly into full administrative control. Additionally, this vulnerability can enable a threat actor to tamper with the OS directly or initiate backdoors via implants that may go undetected.
CWE-248: Uncaught Exception
The Quadient DS-700iQ suffers from issues where errors produced are not caught, causing the software to crash and the operating system to be exposed. Crashes allow a threat actor to interact with the OS, gaining unfettered access to OS functions such as launching software, installing programs, or even establishing arbitrary or remote code execution on the system.
CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface
The Quadient DS-700iQ folder-inserter system fails to implement proper access control for USB interfaces, allowing any connected USB device to interact with the underlying Windows OS regardless of its Vendor ID (VID) or Product ID (PID). Since there is no USB allowlist in place, the system accepts arbitrary USB peripherals, including Human Interface Devices (HID), USB mass storage, and USB network adapters. A threat actor can utilize malicious USB devices to install malware, remote access tools, or compromise the integrity of the system.
CWE-693: Protection Mechanism Failure
The Quadient DS-700iQ folder-inserter system is shipped with a Windows-based control PC that operates under a local administrator account (neopost.) The operating system is configured without proper LSASS protection mechanisms, such as Credential Guard or RunAsPPL, and with legacy authentication providers such as WDigest enabled. As a result, an attacker who obtains access to the system, whether physically or through kiosk breakout, can extract sensitive credentials, including plaintext passwords and NTLM hashes, directly from memory.
The DS-700 iQ has what is called an “Integrated Mail Operating System” (IMOS). The system’s control panel is a thick client running in a kiosk mode, and the user can touch the various functions to interact with the DS-700iQ.
Figure 2. IMOS control panel for the DS-700iQ [what an operator sees]
Figure 3. Example of IMOS control panel buttons utilized for fuzzing a kiosk mode breakout
The issue arises via the kiosk mode breakout. If the user clicks a button too fast, for instance, the “question mark” and subsequently the “Help” button, and then the “About” button, and the “Help” button once again, there appears to be some form of race condition that causes the software to error out, and the thick client [kiosk mode] crashes.
This behavior was observed sporadically, and from other buttons as well, so it’s unclear to what extent it exists and what the underlying cause is. Due to a lack of vendor response and limited time on the client site, it wasn’t possible to gain more information about the specific kiosk mode crashing issue. However, this error repeatedly resulted in the user gaining access to the operating system.
At this point, a threat actor can use the touchscreen to perform various functions and gain arbitrary code execution over the device in question. Bringing up an on-screen keyboard does work. However, there were alternative ways of system interaction.
SpiderLabs noted that the DS-700iQ has a cabinet that allows access to the PC that runs the software.
Figure 4. Storage location of Controller PC, responsible for running the thick client
The resource is not in a locked cabinet, providing ease of access to the USB ports of the external controller PC.
Figure 5. No physical protection for the Controller PC cabinet
Figure 6. Plugging in USB devices to External Controller PC, with no VID/PID-blocking mechanisms observed
The external USB port access allowed SpiderLabs to plug in a mouse and keyboard and even emulate functions with a Flipper device. This allowed for smooth control over the OS, and subsequently, a command prompt was initiated.
Figure 7. Observing the External Controller PC running under the user context “Neopost” as a local administrator
Running the ‘whoami’ command displayed that the OS running the thick client/kiosk mode typically runs as the “Neopost” user. The Neopost user, by default, is assigned as a local administrator, as well as the IMOS user. User switching within the IMOS software does not appear to result in a change of the underlying Windows user context. Regardless of the IMOS role selected, the system continued to run as the Neopost local administrator account.
Figure 8. IMOS software user privilege management interface
The OS defaults to running in a local administrator context, which allowed SpiderLabs to disable the local protection identified on the system. Specifically, Windows Defender with real-time protection was enabled by default.
Figure 9. Utilizing local administrator privileges to disable Window Defender’s real time protection
After disabling Defender’s real-time monitoring, MimiKatz was uploaded with ease and utilized to dump LSASS because of misconfigured OS protections.
Figure 10. Dumping LSASS of External Controller PC, responsible for running the software
In this specific instance, the machine was segmented from the enterprise network. However, these machines typically have a variety of PII since they are utilized to package materials that are mailed to clients.
Additionally, these machines may be operated by several enterprise users, and with local administrator access, the threat scenarios for exploitation are limitless and could very well lead to pivoting into an enterprise’s active directory network. This write-up represents one configuration of thousands of possible variable network configurations that could influence the level of exposure through this attack chain.
When evaluating the above attack chain, each of these issues represents vulnerabilities or weaknesses that need to be addressed by utilizing a defense-in-depth methodology.
For instance, if the touchscreen kiosk mode errors did not exist, this chain could very well still be possible. It’s probable that plugging in USB devices, such as a flipper and fuzzing for kiosk mode sequence breakouts, could have led to a breakout even if the exceptions were handled correctly within the software. As another example, if a locking mechanism was implemented to keep bad actors away from the cabinet, the locking mechanism needs to be thorough. Something like a basic file cabinet lock can be easily picked. Subsequently, if USB control is implemented and devices are allowlisted, a threat actor could still possibly spoof an allowlisted VID/PID, enabling them to operate the USB port. It’s no surprise that every security change has a possible workaround.
Nonetheless, it’s significantly harder for a threat actor to achieve the goals described if each of these vulnerabilities were analyzed and weighed separately – creating friction for the threat actor is the most important part, making it difficult to chain together vulnerabilities to snowball an escalation.
Recommendations for Quadient
Immediate Client Recommendations/Workarounds
This vulnerability went through the Trustwave Responsible Disclosure Program. However, despite multiple attempts to reach out to Quadient through different channels, we received no response.
Additionally, Trustwave applied for a CVE for this vulnerability in August. However, delays with the CVE Program have delayed the CVE assignment. When a CVE is assigned to these vulnerabilities, we will update this post.