In a single concentrated research sprint, the Sherlock Forensics lab identified four zero-day vulnerabilities across widely deployed Windows software. As of writing, none of them have a vendor patch available. Three are full local privilege escalations to SYSTEM. One is an unauthenticated local control channel that lets a standard user reach SYSTEM-level services without proper authorization. Every finding is under coordinated 90-day disclosure.
What we found, at altitude
The headline is bigger than the codenames. One lab. One sprint. Four findings. Three vendors involved across two product families. None patched at the time of publication.
The full advisory tracker for each finding lives on the Sherlock Forensics Labs page. Below is the at-altitude summary for buyers, peers and press. Mechanics are deliberately omitted while the disclosure windows are active.
The four findings (5-line summary)
Each item is a confirmed, unpatched zero-day under active vendor coordination. Codename plus advisory ID plus vendor plus product plus class. Nothing more while the embargo holds.
- SF-LABS-2026-01 BIG BROTHER. Brother bundled Windows device software. Local privilege escalation. A standard non-administrator user can gain full SYSTEM control of a Windows machine running the affected component. Awaiting vendor acknowledgement at time of writing.
- SF-LABS-2026-02 BLANK CHECK. Intuit QuickBooks Desktop. Local privilege escalation. A standard user reaches SYSTEM with no admin rights, no reboot and no user interaction. Confirmed on the current fully-updated release. Reported to Intuit. Awaiting vendor acknowledgement.
- SF-LABS-2026-03 SILENT NIGHT. A second distinct SYSTEM-level finding in Intuit QuickBooks Desktop, separate from BLANK CHECK. Single-step escalation. Confirmed on the current release. Awaiting vendor acknowledgement.
- SF-LABS-2026-04 PARTY LINE. Brother iPrint&Scan for Windows. Local privilege escalation (missing authorization). Components running in an elevated context accept actions from unprivileged callers without proper authorization checks. Surfaced by the Sherlock EoP Auditor (see below). Vendor report in preparation.
- One tool drove all four. The same in-house Sherlock EoP Auditor surfaced PARTY LINE start to finish and independently re-confirmed the three SYSTEM-level findings the lab had already discovered by hand. One tool. Four findings. That is the through-line.
What "0-patch" actually means
Every one of the four findings is currently 0-patch. There is no vendor fix available at the time of publication. That is not unusual at this stage. Coordinated disclosure exists precisely because vendors need time to ship a quality fix without an attacker race. Sherlock Forensics holds the technical detail private during this window and publishes the codename plus advisory ID so the security community can track active research without ammunition leaking.
What 0-patch does not mean: it does not mean the findings are unimportant. SYSTEM-level local privilege escalation is the highest local-account compromise on Windows. An attacker with a regular user foothold can pivot to total control of the host. From there it is lateral movement, persistence and ransomware staging. Local privilege escalation is the bridge between "we got in" and "we own everything."
Three classes the lab tracks
The four findings cluster across three recurring local privilege escalation classes that the Sherlock Forensics lab tracks across vendor software. The class names are publicly known security concepts. The specific class assignment per finding is published on the Labs page. Mechanism specifics stay private during active disclosure windows.
Untrusted load path class. A well-known class category in Windows local privilege escalation literature. BIG BROTHER is published on the Labs page as belonging to this class category.
Trusted privileged operation class. A well-known class category covering routines that can be steered by an under-privileged caller. BLANK CHECK and SILENT NIGHT are both published on the Labs page as belonging to this class category.
Missing authorization class. A well-known class category in Windows IPC security. PARTY LINE is published on the Labs page as belonging to this class category.
For defenders, the operational takeaway is at concept level: each class represents a category of common implementation oversight that the Sherlock EoP Auditor specifically checks across Windows hosts. Class-level remediation patterns are documented in Windows security guidance literature widely.
The capability story
The proof point everything markets around is this: one in-house tool found one brand new zero-day and re-confirmed three more in the same sprint. The Sherlock EoP Auditor is the tool. It is the productization of the manual workflow our lab has run by hand for years.
The Auditor maps the local privilege escalation surface of a Windows host the way an attacker would. Enumerate privileged services. Inspect the local interfaces. Probe authorization. Map untrusted load paths. Surface findings in plain language with a verdict.
The product page is live and the early-access notification list is open. The binary itself is in early access while we wait for the PARTY LINE disclosure window to complete with Brother. We will not ship a download that contains the reproduction of an unpatched 0-day. That is responsibility and capability in the same breath.
How we handle disclosure
Coordinated 90-day disclosure is the lab's standard policy. The pipeline:
- Reproducible confirmation. Every finding is reproduced on the lab's own authorized infrastructure before any vendor contact. No client or production system is ever involved in vulnerability research.
- Conservative impact assessment. The lab characterizes findings at the most defensible level rather than the most dramatic. PARTY LINE is being scoped as missing authorization plus denial of service plus configuration disclosure pending full measured assessment.
- Vendor notification with technical detail. Vendors receive the full report with technical mechanics, reproduction steps and a 90-day window to ship a fix.
- Public placeholder. The lab publishes the codename plus advisory ID plus impact class plus status on the Labs page. No exploitation detail. No reproduction steps.
- Release on patch or window expiry. Full technical write-up publishes when the vendor confirms a fix is available or the 90-day window expires, whichever is first.
For incident responders and IR teams that need pre-release notification under NDA, the contact is labs@sherlockforensics.com. The lab provides early-release provisions to vendors and IR responders under terms.
What an active disclosure costs to run
Most readers underestimate the operational cost of running an active disclosure window. The lab is not just sitting on findings while the 90-day clock runs. Active disclosures require ongoing work: weekly status checks with each vendor coordinator, technical question answering as the vendor's engineering team digs into the report, extension negotiation when vendors make demonstrable progress and need more time, pre-release planning with the vendor's security communications team for synchronized public release plus continuous monitoring of whether the finding gets independently rediscovered or leaked before the window closes.
For the four currently active disclosures (BIG BROTHER, BLANK CHECK, SILENT NIGHT, PARTY LINE), the lab maintains separate reproduction environments per finding, version-pinned reference installations, full Sherlock Disk Imager snapshots of pre-discovery system state for clean re-confirmation plus chain-of-custody hash verification using the free Sherlock hash verifier for every artifact that may end up in a court submission later. The infrastructure carries cost. The discipline carries cost. The output is what the customer is buying.
How Sherlock disclosure compares to peer programs
Coordinated disclosure programs come in three rough categories. Bug bounty platforms (HackerOne, Bugcrowd) where individual researchers report findings to vendors via a coordinator and receive bounty payments. Vendor in-house programs (Microsoft MSRC, Google Project Zero, Apple Security Bounty) where the vendor's own security research team or contracted researchers handle disclosure end to end. Independent research labs (Sherlock Forensics Labs, Sonatype, Sentinel Labs, Trail of Bits) where a private firm maintains its own disclosure pipeline and publishes findings under its own brand.
The Sherlock Forensics Labs sits in the third category. The operational differences matter for buyers evaluating the credibility of a vulnerability research program. Bug bounty researchers receive a fixed payment per finding and move on. Vendor in-house teams answer to corporate timelines and PR considerations. Independent labs like Sherlock Forensics own the disclosure end to end, which means accountability for the conservative impact assessment, the technical depth, the vendor communication discipline and the public release quality is concentrated in one team that has built its name on it.
For digital forensics clients evaluating who to retain for breach response, the question to ask is whether the firm's vulnerability research operates with the same rigor the firm's forensic examinations would in court. The Sherlock Forensics answer is yes by design. The same CISSP, ISSAP and ISSMP credentialed examiners who handle incident response retainers run the lab. The same chain-of-custody discipline that produces a court-defensible email forensic report produces a vendor-defensible coordinated disclosure report. The skill transfer is bidirectional.
The four codenames at Labs-disclosure level
Each item is a confirmed unpatched finding under active vendor coordination. Per Sherlock Forensics disclosure policy, the public reference for each codename is the corresponding Labs page entry. Article-level content does not add specifics beyond Labs disclosure during active embargo windows.
BIG BROTHER (SF-LABS-2026-01). Brother bundled Windows device software. Local privilege escalation. Reported to Brother PSIRT. Awaiting vendor acknowledgement. Full Labs disclosure page for status and Labs-level details.
BLANK CHECK (SF-LABS-2026-02). Intuit QuickBooks Desktop. Local privilege escalation. Reported to Intuit via HackerOne. Awaiting vendor acknowledgement. Full Labs disclosure page for status and Labs-level details.
SILENT NIGHT (SF-LABS-2026-03). Intuit QuickBooks Desktop. A second distinct SYSTEM-level finding in the same product, separate from BLANK CHECK. Reported to Intuit via HackerOne. Awaiting vendor acknowledgement. Full Labs disclosure page for status and Labs-level details.
PARTY LINE (SF-LABS-2026-04). Brother iPrint&Scan for Windows. Local privilege escalation in the missing authorization class category. Vendor report in preparation. Surfaced by the Sherlock EoP Auditor. Full Labs disclosure page for status and Labs-level details.
What this means for buyers
If you are evaluating Sherlock Forensics for an offensive engagement, court-defensible digital forensics or incident response retainer, the four findings in this sprint are the credibility proof point. The same lab that discloses Windows zero-days under coordinated 90-day windows is the lab that handles your breach investigation. The judgment that runs the vulnerability research is the same judgment that reads incident timelines.
If you are running a Windows fleet at any scale, the takeaway is operational. Third-party software that ships with privileged Windows services is a class of attack surface that almost never gets reviewed. The Sherlock EoP Auditor is the tool the lab built to automate that review. The services practice covers the same surface manually for engagements that need a human in the loop.
Live status
Live disclosure status, advisory IDs and per-finding details for all four are on the Sherlock Forensics Labs page. Status will update as vendor coordination progresses. The Labs page is the canonical source. For an enterprise or MSP licensing conversation about the Sherlock EoP Auditor or a guided Windows fleet review, the contact is labs@sherlockforensics.com.
Track the four findings as vendor coordination progresses. Open the Labs disclosure tracker or join the EoP Auditor early-access list.