SF-LABS-2026-01 / Vulnerability Disclosure

Intuit QuickBooks Desktop Local Privilege Escalation

Active disclosure window

Loading... --h --m

A standard non-administrator user can seize full SYSTEM control of any Windows machine running the affected QuickBooks Desktop component. No administrator rights required. No reboot required. No user interaction required. The clip below shows the complete escalation from an ordinary user prompt to a SYSTEM shell in a single step. The affected component has shipped unchanged across more than a decade of QuickBooks Desktop releases. We have reported this to Intuit and are coordinating remediation. Full root-cause analysis plus affected-version matrix plus proof-of-concept will be published here when the disclosure window closes.

Disclosure Record

Timeline and Affected Surface

Advisory ID: SF-LABS-2026-01
Vendor: Intuit
Product: QuickBooks Desktop
Vulnerability class: Local privilege escalation to SYSTEM
Discovery date: 2026-06-11
Vendor notified: 2026-06-11
90-day expiry: 2026-09-09
CVE ID: Pending CVE assignment
Affected versions: Disclosed when the disclosure window closes
Researcher: Ryan Purita, Principal Security Consultant, Sherlock Forensics
Methodology: Original research by Sherlock Forensics Labs

Sherlock Forensics adheres to coordinated disclosure timelines. Technical specifics, proof-of-concept code and remediation guidance will be published on the date specified above or earlier with vendor approval. We do not publish details that could enable exploitation while affected users remain vulnerable.

Demonstration

Proof-of-Concept Video

Video proof-of-concept will be added when available. The recording shows the escalation path end-to-end, from the unprivileged-user starting state to the SYSTEM shell that results.

Public Summary

What is Publicly Disclosed Now

SF-LABS-2026-01 is a local privilege escalation. The exploit requires the attacker to already have code execution in a standard non-administrator user context on the target machine. That foothold is the routine outcome of phishing, drive-by download or commodity malware. SF-LABS-2026-01 converts any such standard-user foothold into SYSTEM in a single step, on a fully patched endpoint running affected QuickBooks Desktop versions, with no user interaction required.

The vulnerability sits in a component that has shipped unchanged across more than a decade of QuickBooks Desktop releases. The affected-version matrix will publish when the disclosure window closes. Defensive recommendations for the embargo period are limited to standard local-attack-surface hardening: enforce least-privilege user accounts, monitor SYSTEM-integrity process creation from user-context parents plus review installed-software inventory against the public affected-versions list once it lands.

Sherlock Forensics will publish full technical detail (vulnerability class root cause, affected code paths, proof-of-concept, remediation guidance) when the disclosure window closes or earlier on vendor approval. Researchers and incident response teams who need pre-release notification under NDA can reach the lab at labs@sherlockforensics.com.

About

About Sherlock Forensics Labs

Sherlock Forensics Labs is the research arm of Sherlock Forensics, a Vancouver BC based digital forensics and cybersecurity practice. Lead researcher Ryan Purita is a Principal Security Consultant with 20 years of courtroom-tested digital forensics work plus CISSP, ISSAP and ISSMP certification. The lab follows industry-standard 90-day coordinated disclosure with vendor-acknowledged early-release provisions. See the Labs hub for active and archived disclosures.