SF-LABS-2026-01 / BIG BROTHER / Vulnerability Disclosure

Brother Windows Device Software BIG BROTHER Local Privilege Escalation

Reported, awaiting vendor acknowledgement

Awaiting vendor acknowledgement

A standard, non-administrator user can gain full SYSTEM control of a Windows machine running bundled Brother device software, with no admin rights and no user interaction. Reported to the vendor. Full technical write-up and proof-of-concept will be published here when the disclosure window closes.

Disclosure Record

Timeline and Affected Surface

Advisory ID: SF-LABS-2026-01
Codename: BIG BROTHER
Vendor: Brother
Product: Bundled Windows device software (iPrint&Scan / status-monitor service)
Vulnerability class: Local privilege escalation to SYSTEM
Discovery date: 2026-06-12
Vendor notified: 2026-06-12
Vendor acknowledged: Awaiting acknowledgement
90-day expiry: Computed from acknowledgement date when received
CVE ID: Pending. Submitted directly to Brother PSIRT
Affected versions: Disclosed when the disclosure window closes
Researcher: Ryan Purita, Principal Security Consultant, Sherlock Forensics
Methodology: Original research by Sherlock Forensics Labs

Sherlock Forensics adheres to coordinated disclosure timelines. Technical specifics, proof-of-concept code and remediation guidance will be published when the disclosure window closes or earlier with vendor approval. We do not publish details that could enable exploitation while affected users remain vulnerable.

Public Summary

What is Publicly Disclosed Now

SF-LABS-2026-01 BIG BROTHER is a local privilege escalation in bundled Brother device software that is widely deployed across Windows fleets. The exploit requires the attacker to already have code execution in a standard non-administrator user context on the target machine. That foothold is the routine outcome of phishing, drive-by download or commodity malware. BIG BROTHER converts any such standard-user foothold into SYSTEM on a fully patched endpoint running affected Brother software.

Defensive recommendations for the embargo period are limited to standard local-attack-surface hardening: enforce least-privilege user accounts, restrict execution of unsigned or untrusted binaries from user-writable locations and review installed Brother software components against the public affected-versions list once it lands.

Sherlock Forensics will publish full technical detail when the disclosure window closes or earlier on vendor approval. Researchers and incident response teams who need pre-release notification under NDA can reach the lab at labs@sherlockforensics.com.

About

About Sherlock Forensics Labs

Sherlock Forensics Labs is the research arm of Sherlock Forensics, a Vancouver BC based digital forensics and cybersecurity practice. Lead researcher Ryan Purita is a Principal Security Consultant with 20 years of courtroom-tested digital forensics work plus CISSP, ISSAP and ISSMP certification. The lab follows industry-standard 90-day coordinated disclosure with vendor-acknowledged early-release provisions. See the Labs hub for active and archived disclosures.